Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 10:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe
-
Size
179KB
-
MD5
f829068075a66248c618db9c7a7c3bb6
-
SHA1
1798ab6f4dd48e390b72ff15410631287d72e70a
-
SHA256
6db5b1e7bda8ab48e5f6cc2fee08ff2c250cde39fa21c938877e50ae5d1b619e
-
SHA512
17969d65c706d687004c5d1c26dbae38566a41ec28c972e89f8203ecd0b1b1f950a52e660dd63667dd567bc8b06d3b438264161eba63c066c1e515dffc7a4cd1
-
SSDEEP
3072:N29/K9xCyKtp5y5zd+d47mthmASvNLNcvf6XYlhzxuEaNlv92JiY:kyLA2RNyth/izMSXWt4lv9DY
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2908 igfxwd32.exe -
Executes dropped EXE 31 IoCs
pid Process 3064 igfxwd32.exe 2908 igfxwd32.exe 2884 igfxwd32.exe 2536 igfxwd32.exe 1316 igfxwd32.exe 2744 igfxwd32.exe 764 igfxwd32.exe 1236 igfxwd32.exe 1384 igfxwd32.exe 2748 igfxwd32.exe 348 igfxwd32.exe 1636 igfxwd32.exe 1088 igfxwd32.exe 900 igfxwd32.exe 1324 igfxwd32.exe 380 igfxwd32.exe 112 igfxwd32.exe 2352 igfxwd32.exe 2188 igfxwd32.exe 2892 igfxwd32.exe 2860 igfxwd32.exe 2784 igfxwd32.exe 2544 igfxwd32.exe 1808 igfxwd32.exe 1984 igfxwd32.exe 540 igfxwd32.exe 1944 igfxwd32.exe 1152 igfxwd32.exe 1776 igfxwd32.exe 2412 igfxwd32.exe 1468 igfxwd32.exe -
Loads dropped DLL 31 IoCs
pid Process 2968 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 3064 igfxwd32.exe 2908 igfxwd32.exe 2884 igfxwd32.exe 2536 igfxwd32.exe 1316 igfxwd32.exe 2744 igfxwd32.exe 764 igfxwd32.exe 1236 igfxwd32.exe 1384 igfxwd32.exe 2748 igfxwd32.exe 348 igfxwd32.exe 1636 igfxwd32.exe 1088 igfxwd32.exe 900 igfxwd32.exe 1324 igfxwd32.exe 380 igfxwd32.exe 112 igfxwd32.exe 2352 igfxwd32.exe 2188 igfxwd32.exe 2892 igfxwd32.exe 2860 igfxwd32.exe 2784 igfxwd32.exe 2544 igfxwd32.exe 1808 igfxwd32.exe 1984 igfxwd32.exe 540 igfxwd32.exe 1944 igfxwd32.exe 1152 igfxwd32.exe 1776 igfxwd32.exe 2412 igfxwd32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 1768 set thread context of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 3064 set thread context of 2908 3064 igfxwd32.exe 33 PID 2884 set thread context of 2536 2884 igfxwd32.exe 35 PID 1316 set thread context of 2744 1316 igfxwd32.exe 37 PID 764 set thread context of 1236 764 igfxwd32.exe 39 PID 1384 set thread context of 2748 1384 igfxwd32.exe 41 PID 348 set thread context of 1636 348 igfxwd32.exe 43 PID 1088 set thread context of 900 1088 igfxwd32.exe 45 PID 1324 set thread context of 380 1324 igfxwd32.exe 47 PID 112 set thread context of 2352 112 igfxwd32.exe 50 PID 2188 set thread context of 2892 2188 igfxwd32.exe 52 PID 2860 set thread context of 2784 2860 igfxwd32.exe 54 PID 2544 set thread context of 1808 2544 igfxwd32.exe 56 PID 1984 set thread context of 540 1984 igfxwd32.exe 58 PID 1944 set thread context of 1152 1944 igfxwd32.exe 60 PID 1776 set thread context of 2412 1776 igfxwd32.exe 62 -
resource yara_rule behavioral1/memory/2968-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2908-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2908-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2908-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2908-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2908-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2536-50-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2536-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2744-67-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2744-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2744-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2744-73-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1236-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1236-90-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2748-102-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2748-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1636-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1636-125-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/900-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/900-142-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/380-154-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/380-160-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2352-170-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2352-178-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2892-194-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2784-211-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1808-227-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/540-243-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1152-257-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-269-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2968 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 2968 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 2908 igfxwd32.exe 2908 igfxwd32.exe 2536 igfxwd32.exe 2536 igfxwd32.exe 2744 igfxwd32.exe 2744 igfxwd32.exe 1236 igfxwd32.exe 1236 igfxwd32.exe 2748 igfxwd32.exe 2748 igfxwd32.exe 1636 igfxwd32.exe 1636 igfxwd32.exe 900 igfxwd32.exe 900 igfxwd32.exe 380 igfxwd32.exe 380 igfxwd32.exe 2352 igfxwd32.exe 2352 igfxwd32.exe 2892 igfxwd32.exe 2892 igfxwd32.exe 2784 igfxwd32.exe 2784 igfxwd32.exe 1808 igfxwd32.exe 1808 igfxwd32.exe 540 igfxwd32.exe 540 igfxwd32.exe 1152 igfxwd32.exe 1152 igfxwd32.exe 2412 igfxwd32.exe 2412 igfxwd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2968 1768 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 31 PID 2968 wrote to memory of 3064 2968 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 32 PID 2968 wrote to memory of 3064 2968 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 32 PID 2968 wrote to memory of 3064 2968 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 32 PID 2968 wrote to memory of 3064 2968 f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe 32 PID 3064 wrote to memory of 2908 3064 igfxwd32.exe 33 PID 3064 wrote to memory of 2908 3064 igfxwd32.exe 33 PID 3064 wrote to memory of 2908 3064 igfxwd32.exe 33 PID 3064 wrote to memory of 2908 3064 igfxwd32.exe 33 PID 3064 wrote to memory of 2908 3064 igfxwd32.exe 33 PID 3064 wrote to memory of 2908 3064 igfxwd32.exe 33 PID 3064 wrote to memory of 2908 3064 igfxwd32.exe 33 PID 2908 wrote to memory of 2884 2908 igfxwd32.exe 34 PID 2908 wrote to memory of 2884 2908 igfxwd32.exe 34 PID 2908 wrote to memory of 2884 2908 igfxwd32.exe 34 PID 2908 wrote to memory of 2884 2908 igfxwd32.exe 34 PID 2884 wrote to memory of 2536 2884 igfxwd32.exe 35 PID 2884 wrote to memory of 2536 2884 igfxwd32.exe 35 PID 2884 wrote to memory of 2536 2884 igfxwd32.exe 35 PID 2884 wrote to memory of 2536 2884 igfxwd32.exe 35 PID 2884 wrote to memory of 2536 2884 igfxwd32.exe 35 PID 2884 wrote to memory of 2536 2884 igfxwd32.exe 35 PID 2884 wrote to memory of 2536 2884 igfxwd32.exe 35 PID 2536 wrote to memory of 1316 2536 igfxwd32.exe 36 PID 2536 wrote to memory of 1316 2536 igfxwd32.exe 36 PID 2536 wrote to memory of 1316 2536 igfxwd32.exe 36 PID 2536 wrote to memory of 1316 2536 igfxwd32.exe 36 PID 1316 wrote to memory of 2744 1316 igfxwd32.exe 37 PID 1316 wrote to memory of 2744 1316 igfxwd32.exe 37 PID 1316 wrote to memory of 2744 1316 igfxwd32.exe 37 PID 1316 wrote to memory of 2744 1316 igfxwd32.exe 37 PID 1316 wrote to memory of 2744 1316 igfxwd32.exe 37 PID 1316 wrote to memory of 2744 1316 igfxwd32.exe 37 PID 1316 wrote to memory of 2744 1316 igfxwd32.exe 37 PID 2744 wrote to memory of 764 2744 igfxwd32.exe 38 PID 2744 wrote to memory of 764 2744 igfxwd32.exe 38 PID 2744 wrote to memory of 764 2744 igfxwd32.exe 38 PID 2744 wrote to memory of 764 2744 igfxwd32.exe 38 PID 764 wrote to memory of 1236 764 igfxwd32.exe 39 PID 764 wrote to memory of 1236 764 igfxwd32.exe 39 PID 764 wrote to memory of 1236 764 igfxwd32.exe 39 PID 764 wrote to memory of 1236 764 igfxwd32.exe 39 PID 764 wrote to memory of 1236 764 igfxwd32.exe 39 PID 764 wrote to memory of 1236 764 igfxwd32.exe 39 PID 764 wrote to memory of 1236 764 igfxwd32.exe 39 PID 1236 wrote to memory of 1384 1236 igfxwd32.exe 40 PID 1236 wrote to memory of 1384 1236 igfxwd32.exe 40 PID 1236 wrote to memory of 1384 1236 igfxwd32.exe 40 PID 1236 wrote to memory of 1384 1236 igfxwd32.exe 40 PID 1384 wrote to memory of 2748 1384 igfxwd32.exe 41 PID 1384 wrote to memory of 2748 1384 igfxwd32.exe 41 PID 1384 wrote to memory of 2748 1384 igfxwd32.exe 41 PID 1384 wrote to memory of 2748 1384 igfxwd32.exe 41 PID 1384 wrote to memory of 2748 1384 igfxwd32.exe 41 PID 1384 wrote to memory of 2748 1384 igfxwd32.exe 41 PID 1384 wrote to memory of 2748 1384 igfxwd32.exe 41 PID 2748 wrote to memory of 348 2748 igfxwd32.exe 42 PID 2748 wrote to memory of 348 2748 igfxwd32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f829068075a66248c618db9c7a7c3bb6_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\F82906~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\F82906~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:900 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:380 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2892 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2784 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1808 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:540 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1152 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2412 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe33⤵
- Executes dropped EXE
PID:1468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179KB
MD5f829068075a66248c618db9c7a7c3bb6
SHA11798ab6f4dd48e390b72ff15410631287d72e70a
SHA2566db5b1e7bda8ab48e5f6cc2fee08ff2c250cde39fa21c938877e50ae5d1b619e
SHA51217969d65c706d687004c5d1c26dbae38566a41ec28c972e89f8203ecd0b1b1f950a52e660dd63667dd567bc8b06d3b438264161eba63c066c1e515dffc7a4cd1