Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 15:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe
-
Size
174KB
-
MD5
f8ae3d04134db63bf814f3165944bdef
-
SHA1
c702c34f97cc79b37c61add307997ab9250dd8f3
-
SHA256
c563f1f45275a004ab9c038692b371b7369ffa0a98fb689b2a8a5ce0d6d51701
-
SHA512
2f6d2abf50847f65a505754d67946cb13ad3fcafd00563569b12f5904169942a934fea809681f345641dca29aa98a141382a23af48d12bdb26b27e94af3c88ac
-
SSDEEP
3072:q6UHMux55t76czZuVf6mm2fWTFphvIPKOcmZN8IjSPhZSeaOjA9/OX:BuT76KGFm28hvIPcmN5IhZSJ9/OX
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 3004 igfxwd32.exe -
Executes dropped EXE 31 IoCs
pid Process 2768 igfxwd32.exe 3004 igfxwd32.exe 2788 igfxwd32.exe 2636 igfxwd32.exe 672 igfxwd32.exe 1632 igfxwd32.exe 2520 igfxwd32.exe 2820 igfxwd32.exe 1072 igfxwd32.exe 2440 igfxwd32.exe 1648 igfxwd32.exe 1916 igfxwd32.exe 1760 igfxwd32.exe 288 igfxwd32.exe 1516 igfxwd32.exe 708 igfxwd32.exe 2288 igfxwd32.exe 2552 igfxwd32.exe 2352 igfxwd32.exe 2712 igfxwd32.exe 2168 igfxwd32.exe 2224 igfxwd32.exe 2784 igfxwd32.exe 2652 igfxwd32.exe 1120 igfxwd32.exe 2688 igfxwd32.exe 1816 igfxwd32.exe 292 igfxwd32.exe 832 igfxwd32.exe 2960 igfxwd32.exe 2332 igfxwd32.exe -
Loads dropped DLL 31 IoCs
pid Process 3064 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 2768 igfxwd32.exe 3004 igfxwd32.exe 2788 igfxwd32.exe 2636 igfxwd32.exe 672 igfxwd32.exe 1632 igfxwd32.exe 2520 igfxwd32.exe 2820 igfxwd32.exe 1072 igfxwd32.exe 2440 igfxwd32.exe 1648 igfxwd32.exe 1916 igfxwd32.exe 1760 igfxwd32.exe 288 igfxwd32.exe 1516 igfxwd32.exe 708 igfxwd32.exe 2288 igfxwd32.exe 2552 igfxwd32.exe 2352 igfxwd32.exe 2712 igfxwd32.exe 2168 igfxwd32.exe 2224 igfxwd32.exe 2784 igfxwd32.exe 2652 igfxwd32.exe 1120 igfxwd32.exe 2688 igfxwd32.exe 1816 igfxwd32.exe 292 igfxwd32.exe 832 igfxwd32.exe 2960 igfxwd32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2568 set thread context of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 2768 set thread context of 3004 2768 igfxwd32.exe 33 PID 2788 set thread context of 2636 2788 igfxwd32.exe 35 PID 672 set thread context of 1632 672 igfxwd32.exe 37 PID 2520 set thread context of 2820 2520 igfxwd32.exe 39 PID 1072 set thread context of 2440 1072 igfxwd32.exe 41 PID 1648 set thread context of 1916 1648 igfxwd32.exe 43 PID 1760 set thread context of 288 1760 igfxwd32.exe 45 PID 1516 set thread context of 708 1516 igfxwd32.exe 47 PID 2288 set thread context of 2552 2288 igfxwd32.exe 49 PID 2352 set thread context of 2712 2352 igfxwd32.exe 51 PID 2168 set thread context of 2224 2168 igfxwd32.exe 53 PID 2784 set thread context of 2652 2784 igfxwd32.exe 55 PID 1120 set thread context of 2688 1120 igfxwd32.exe 57 PID 1816 set thread context of 292 1816 igfxwd32.exe 59 PID 832 set thread context of 2960 832 igfxwd32.exe 61 -
resource yara_rule behavioral1/memory/3064-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3064-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3064-12-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3064-11-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3064-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3064-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3064-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3064-22-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3004-34-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3004-33-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3004-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3004-39-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2636-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2636-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1632-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2820-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2820-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2440-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1916-122-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/288-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/708-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2552-166-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2552-173-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2712-189-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2224-206-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2652-216-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2652-223-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2688-234-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2688-240-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/292-253-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2960-265-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3064 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 3064 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 3004 igfxwd32.exe 3004 igfxwd32.exe 2636 igfxwd32.exe 2636 igfxwd32.exe 1632 igfxwd32.exe 1632 igfxwd32.exe 2820 igfxwd32.exe 2820 igfxwd32.exe 2440 igfxwd32.exe 2440 igfxwd32.exe 1916 igfxwd32.exe 1916 igfxwd32.exe 288 igfxwd32.exe 288 igfxwd32.exe 708 igfxwd32.exe 708 igfxwd32.exe 2552 igfxwd32.exe 2552 igfxwd32.exe 2712 igfxwd32.exe 2712 igfxwd32.exe 2224 igfxwd32.exe 2224 igfxwd32.exe 2652 igfxwd32.exe 2652 igfxwd32.exe 2688 igfxwd32.exe 2688 igfxwd32.exe 292 igfxwd32.exe 292 igfxwd32.exe 2960 igfxwd32.exe 2960 igfxwd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 2568 wrote to memory of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 2568 wrote to memory of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 2568 wrote to memory of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 2568 wrote to memory of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 2568 wrote to memory of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 2568 wrote to memory of 3064 2568 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2768 3064 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 32 PID 3064 wrote to memory of 2768 3064 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 32 PID 3064 wrote to memory of 2768 3064 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 32 PID 3064 wrote to memory of 2768 3064 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 32 PID 2768 wrote to memory of 3004 2768 igfxwd32.exe 33 PID 2768 wrote to memory of 3004 2768 igfxwd32.exe 33 PID 2768 wrote to memory of 3004 2768 igfxwd32.exe 33 PID 2768 wrote to memory of 3004 2768 igfxwd32.exe 33 PID 2768 wrote to memory of 3004 2768 igfxwd32.exe 33 PID 2768 wrote to memory of 3004 2768 igfxwd32.exe 33 PID 2768 wrote to memory of 3004 2768 igfxwd32.exe 33 PID 3004 wrote to memory of 2788 3004 igfxwd32.exe 34 PID 3004 wrote to memory of 2788 3004 igfxwd32.exe 34 PID 3004 wrote to memory of 2788 3004 igfxwd32.exe 34 PID 3004 wrote to memory of 2788 3004 igfxwd32.exe 34 PID 2788 wrote to memory of 2636 2788 igfxwd32.exe 35 PID 2788 wrote to memory of 2636 2788 igfxwd32.exe 35 PID 2788 wrote to memory of 2636 2788 igfxwd32.exe 35 PID 2788 wrote to memory of 2636 2788 igfxwd32.exe 35 PID 2788 wrote to memory of 2636 2788 igfxwd32.exe 35 PID 2788 wrote to memory of 2636 2788 igfxwd32.exe 35 PID 2788 wrote to memory of 2636 2788 igfxwd32.exe 35 PID 2636 wrote to memory of 672 2636 igfxwd32.exe 36 PID 2636 wrote to memory of 672 2636 igfxwd32.exe 36 PID 2636 wrote to memory of 672 2636 igfxwd32.exe 36 PID 2636 wrote to memory of 672 2636 igfxwd32.exe 36 PID 672 wrote to memory of 1632 672 igfxwd32.exe 37 PID 672 wrote to memory of 1632 672 igfxwd32.exe 37 PID 672 wrote to memory of 1632 672 igfxwd32.exe 37 PID 672 wrote to memory of 1632 672 igfxwd32.exe 37 PID 672 wrote to memory of 1632 672 igfxwd32.exe 37 PID 672 wrote to memory of 1632 672 igfxwd32.exe 37 PID 672 wrote to memory of 1632 672 igfxwd32.exe 37 PID 1632 wrote to memory of 2520 1632 igfxwd32.exe 38 PID 1632 wrote to memory of 2520 1632 igfxwd32.exe 38 PID 1632 wrote to memory of 2520 1632 igfxwd32.exe 38 PID 1632 wrote to memory of 2520 1632 igfxwd32.exe 38 PID 2520 wrote to memory of 2820 2520 igfxwd32.exe 39 PID 2520 wrote to memory of 2820 2520 igfxwd32.exe 39 PID 2520 wrote to memory of 2820 2520 igfxwd32.exe 39 PID 2520 wrote to memory of 2820 2520 igfxwd32.exe 39 PID 2520 wrote to memory of 2820 2520 igfxwd32.exe 39 PID 2520 wrote to memory of 2820 2520 igfxwd32.exe 39 PID 2520 wrote to memory of 2820 2520 igfxwd32.exe 39 PID 2820 wrote to memory of 1072 2820 igfxwd32.exe 40 PID 2820 wrote to memory of 1072 2820 igfxwd32.exe 40 PID 2820 wrote to memory of 1072 2820 igfxwd32.exe 40 PID 2820 wrote to memory of 1072 2820 igfxwd32.exe 40 PID 1072 wrote to memory of 2440 1072 igfxwd32.exe 41 PID 1072 wrote to memory of 2440 1072 igfxwd32.exe 41 PID 1072 wrote to memory of 2440 1072 igfxwd32.exe 41 PID 1072 wrote to memory of 2440 1072 igfxwd32.exe 41 PID 1072 wrote to memory of 2440 1072 igfxwd32.exe 41 PID 1072 wrote to memory of 2440 1072 igfxwd32.exe 41 PID 1072 wrote to memory of 2440 1072 igfxwd32.exe 41 PID 2440 wrote to memory of 1648 2440 igfxwd32.exe 42 PID 2440 wrote to memory of 1648 2440 igfxwd32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\F8AE3D~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\F8AE3D~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1916 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:288 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:708 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2712 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:292 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe33⤵
- Executes dropped EXE
PID:2332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5f8ae3d04134db63bf814f3165944bdef
SHA1c702c34f97cc79b37c61add307997ab9250dd8f3
SHA256c563f1f45275a004ab9c038692b371b7369ffa0a98fb689b2a8a5ce0d6d51701
SHA5122f6d2abf50847f65a505754d67946cb13ad3fcafd00563569b12f5904169942a934fea809681f345641dca29aa98a141382a23af48d12bdb26b27e94af3c88ac