Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 01:16
Static task
static1
Behavioral task
behavioral1
Sample
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe
-
Size
170KB
-
MD5
8e6dc479f409c8f54869ec7d4378bfc7
-
SHA1
16cab39b39712217515f845e72de4f211722ef5e
-
SHA256
9f69504cc933d99732379b6e814736c96232017c4327b80d8c4c88a5ab5bdacf
-
SHA512
bf343f41573d79a6a8817c9c346206039400af92cc469e2350350ef58062cd7fe3cf583b808f95fc8b3baed8a8d8ed4c7ae6fce578acb8387fc2cfcd813594e3
-
SSDEEP
3072:/2UPT6y+x9vjc6gA3SdQCvdOsg0Dd9NddhrEO81fJWWwi9:NTa9vjDgWS5dDrRrE9foQ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2716 igfxwl32.exe -
Executes dropped EXE 33 IoCs
pid Process 2432 igfxwl32.exe 2716 igfxwl32.exe 1324 igfxwl32.exe 2756 igfxwl32.exe 1480 igfxwl32.exe 2480 igfxwl32.exe 2132 igfxwl32.exe 3000 igfxwl32.exe 1760 igfxwl32.exe 2484 igfxwl32.exe 2516 igfxwl32.exe 572 igfxwl32.exe 1924 igfxwl32.exe 1240 igfxwl32.exe 1520 igfxwl32.exe 2188 igfxwl32.exe 1956 igfxwl32.exe 1584 igfxwl32.exe 868 igfxwl32.exe 2900 igfxwl32.exe 3044 igfxwl32.exe 2212 igfxwl32.exe 1324 igfxwl32.exe 2760 igfxwl32.exe 1320 igfxwl32.exe 3020 igfxwl32.exe 1124 igfxwl32.exe 3032 igfxwl32.exe 2180 igfxwl32.exe 2008 igfxwl32.exe 2496 igfxwl32.exe 1016 igfxwl32.exe 2160 igfxwl32.exe -
Loads dropped DLL 33 IoCs
pid Process 2600 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 2432 igfxwl32.exe 2716 igfxwl32.exe 1324 igfxwl32.exe 2756 igfxwl32.exe 1480 igfxwl32.exe 2480 igfxwl32.exe 2132 igfxwl32.exe 3000 igfxwl32.exe 1760 igfxwl32.exe 2484 igfxwl32.exe 2516 igfxwl32.exe 572 igfxwl32.exe 1924 igfxwl32.exe 1240 igfxwl32.exe 1520 igfxwl32.exe 2188 igfxwl32.exe 1956 igfxwl32.exe 1584 igfxwl32.exe 868 igfxwl32.exe 2900 igfxwl32.exe 3044 igfxwl32.exe 2212 igfxwl32.exe 1324 igfxwl32.exe 2760 igfxwl32.exe 1320 igfxwl32.exe 3020 igfxwl32.exe 1124 igfxwl32.exe 3032 igfxwl32.exe 2180 igfxwl32.exe 2008 igfxwl32.exe 2496 igfxwl32.exe 1016 igfxwl32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2596 set thread context of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2432 set thread context of 2716 2432 igfxwl32.exe 33 PID 1324 set thread context of 2756 1324 igfxwl32.exe 35 PID 1480 set thread context of 2480 1480 igfxwl32.exe 37 PID 2132 set thread context of 3000 2132 igfxwl32.exe 39 PID 1760 set thread context of 2484 1760 igfxwl32.exe 41 PID 2516 set thread context of 572 2516 igfxwl32.exe 43 PID 1924 set thread context of 1240 1924 igfxwl32.exe 45 PID 1520 set thread context of 2188 1520 igfxwl32.exe 47 PID 1956 set thread context of 1584 1956 igfxwl32.exe 50 PID 868 set thread context of 2900 868 igfxwl32.exe 52 PID 3044 set thread context of 2212 3044 igfxwl32.exe 54 PID 1324 set thread context of 2760 1324 igfxwl32.exe 56 PID 1320 set thread context of 3020 1320 igfxwl32.exe 58 PID 1124 set thread context of 3032 1124 igfxwl32.exe 60 PID 2180 set thread context of 2008 2180 igfxwl32.exe 62 PID 2496 set thread context of 1016 2496 igfxwl32.exe 64 -
resource yara_rule behavioral1/memory/2600-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2480-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2480-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2480-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2480-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3000-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3000-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2484-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2484-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2484-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2484-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/572-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/572-122-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1240-134-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1240-140-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2188-152-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2188-157-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-173-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2900-189-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2212-205-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2760-216-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2760-223-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3020-233-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3020-239-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3032-251-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2008-263-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1016-275-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 2600 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 2600 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 2432 igfxwl32.exe 2716 igfxwl32.exe 2716 igfxwl32.exe 1324 igfxwl32.exe 2756 igfxwl32.exe 2756 igfxwl32.exe 1480 igfxwl32.exe 2480 igfxwl32.exe 2480 igfxwl32.exe 2132 igfxwl32.exe 3000 igfxwl32.exe 3000 igfxwl32.exe 1760 igfxwl32.exe 2484 igfxwl32.exe 2484 igfxwl32.exe 2516 igfxwl32.exe 572 igfxwl32.exe 572 igfxwl32.exe 1924 igfxwl32.exe 1240 igfxwl32.exe 1240 igfxwl32.exe 1520 igfxwl32.exe 2188 igfxwl32.exe 2188 igfxwl32.exe 1956 igfxwl32.exe 1584 igfxwl32.exe 1584 igfxwl32.exe 868 igfxwl32.exe 2900 igfxwl32.exe 2900 igfxwl32.exe 3044 igfxwl32.exe 2212 igfxwl32.exe 2212 igfxwl32.exe 1324 igfxwl32.exe 2760 igfxwl32.exe 2760 igfxwl32.exe 1320 igfxwl32.exe 3020 igfxwl32.exe 3020 igfxwl32.exe 1124 igfxwl32.exe 3032 igfxwl32.exe 3032 igfxwl32.exe 2180 igfxwl32.exe 2008 igfxwl32.exe 2008 igfxwl32.exe 2496 igfxwl32.exe 1016 igfxwl32.exe 1016 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2596 wrote to memory of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2596 wrote to memory of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2596 wrote to memory of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2596 wrote to memory of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2596 wrote to memory of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2596 wrote to memory of 2600 2596 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 31 PID 2600 wrote to memory of 2432 2600 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 32 PID 2600 wrote to memory of 2432 2600 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 32 PID 2600 wrote to memory of 2432 2600 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 32 PID 2600 wrote to memory of 2432 2600 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 32 PID 2432 wrote to memory of 2716 2432 igfxwl32.exe 33 PID 2432 wrote to memory of 2716 2432 igfxwl32.exe 33 PID 2432 wrote to memory of 2716 2432 igfxwl32.exe 33 PID 2432 wrote to memory of 2716 2432 igfxwl32.exe 33 PID 2432 wrote to memory of 2716 2432 igfxwl32.exe 33 PID 2432 wrote to memory of 2716 2432 igfxwl32.exe 33 PID 2432 wrote to memory of 2716 2432 igfxwl32.exe 33 PID 2716 wrote to memory of 1324 2716 igfxwl32.exe 34 PID 2716 wrote to memory of 1324 2716 igfxwl32.exe 34 PID 2716 wrote to memory of 1324 2716 igfxwl32.exe 34 PID 2716 wrote to memory of 1324 2716 igfxwl32.exe 34 PID 1324 wrote to memory of 2756 1324 igfxwl32.exe 35 PID 1324 wrote to memory of 2756 1324 igfxwl32.exe 35 PID 1324 wrote to memory of 2756 1324 igfxwl32.exe 35 PID 1324 wrote to memory of 2756 1324 igfxwl32.exe 35 PID 1324 wrote to memory of 2756 1324 igfxwl32.exe 35 PID 1324 wrote to memory of 2756 1324 igfxwl32.exe 35 PID 1324 wrote to memory of 2756 1324 igfxwl32.exe 35 PID 2756 wrote to memory of 1480 2756 igfxwl32.exe 36 PID 2756 wrote to memory of 1480 2756 igfxwl32.exe 36 PID 2756 wrote to memory of 1480 2756 igfxwl32.exe 36 PID 2756 wrote to memory of 1480 2756 igfxwl32.exe 36 PID 1480 wrote to memory of 2480 1480 igfxwl32.exe 37 PID 1480 wrote to memory of 2480 1480 igfxwl32.exe 37 PID 1480 wrote to memory of 2480 1480 igfxwl32.exe 37 PID 1480 wrote to memory of 2480 1480 igfxwl32.exe 37 PID 1480 wrote to memory of 2480 1480 igfxwl32.exe 37 PID 1480 wrote to memory of 2480 1480 igfxwl32.exe 37 PID 1480 wrote to memory of 2480 1480 igfxwl32.exe 37 PID 2480 wrote to memory of 2132 2480 igfxwl32.exe 38 PID 2480 wrote to memory of 2132 2480 igfxwl32.exe 38 PID 2480 wrote to memory of 2132 2480 igfxwl32.exe 38 PID 2480 wrote to memory of 2132 2480 igfxwl32.exe 38 PID 2132 wrote to memory of 3000 2132 igfxwl32.exe 39 PID 2132 wrote to memory of 3000 2132 igfxwl32.exe 39 PID 2132 wrote to memory of 3000 2132 igfxwl32.exe 39 PID 2132 wrote to memory of 3000 2132 igfxwl32.exe 39 PID 2132 wrote to memory of 3000 2132 igfxwl32.exe 39 PID 2132 wrote to memory of 3000 2132 igfxwl32.exe 39 PID 2132 wrote to memory of 3000 2132 igfxwl32.exe 39 PID 3000 wrote to memory of 1760 3000 igfxwl32.exe 40 PID 3000 wrote to memory of 1760 3000 igfxwl32.exe 40 PID 3000 wrote to memory of 1760 3000 igfxwl32.exe 40 PID 3000 wrote to memory of 1760 3000 igfxwl32.exe 40 PID 1760 wrote to memory of 2484 1760 igfxwl32.exe 41 PID 1760 wrote to memory of 2484 1760 igfxwl32.exe 41 PID 1760 wrote to memory of 2484 1760 igfxwl32.exe 41 PID 1760 wrote to memory of 2484 1760 igfxwl32.exe 41 PID 1760 wrote to memory of 2484 1760 igfxwl32.exe 41 PID 1760 wrote to memory of 2484 1760 igfxwl32.exe 41 PID 1760 wrote to memory of 2484 1760 igfxwl32.exe 41 PID 2484 wrote to memory of 2516 2484 igfxwl32.exe 42 PID 2484 wrote to memory of 2516 2484 igfxwl32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\8E6DC4~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\8E6DC4~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2516 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:572 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1924 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1240 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1520 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2188 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:868 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2212 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1124 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3032 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2496 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1016 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵
- Executes dropped EXE
PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD58e6dc479f409c8f54869ec7d4378bfc7
SHA116cab39b39712217515f845e72de4f211722ef5e
SHA2569f69504cc933d99732379b6e814736c96232017c4327b80d8c4c88a5ab5bdacf
SHA512bf343f41573d79a6a8817c9c346206039400af92cc469e2350350ef58062cd7fe3cf583b808f95fc8b3baed8a8d8ed4c7ae6fce578acb8387fc2cfcd813594e3