Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 04:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe
-
Size
208KB
-
MD5
a5de8ee506b355479796ab5ce467db22
-
SHA1
09fc927ed73ef48bd36d3f809a9fd378db66d743
-
SHA256
b9640548b82f669d809d1e190016c9ca882578e0cdb350f896cdb7bd07906746
-
SHA512
8f005994d0a3dac469d624434bebfcbb3613873786ef09b743ebb90fe550d092efc6cef3796b91266f098fb1934b826a1529d9a0d9da01636080cd1e4b863f70
-
SSDEEP
6144:peCNPi1xvowBaxzsJM3tmXeLdIX4NwJN:peCBi1ewBaxAJM3tZNw
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation igfxcf32.exe -
Deletes itself 1 IoCs
pid Process 4848 igfxcf32.exe -
Executes dropped EXE 26 IoCs
pid Process 3236 igfxcf32.exe 4848 igfxcf32.exe 112 igfxcf32.exe 4136 igfxcf32.exe 1956 igfxcf32.exe 2840 igfxcf32.exe 4876 igfxcf32.exe 5004 igfxcf32.exe 452 igfxcf32.exe 3652 igfxcf32.exe 3044 igfxcf32.exe 1608 igfxcf32.exe 916 igfxcf32.exe 3972 igfxcf32.exe 4000 igfxcf32.exe 220 igfxcf32.exe 4704 igfxcf32.exe 3684 igfxcf32.exe 4748 igfxcf32.exe 3748 igfxcf32.exe 4464 igfxcf32.exe 3680 igfxcf32.exe 3828 igfxcf32.exe 4268 igfxcf32.exe 4688 igfxcf32.exe 1068 igfxcf32.exe -
Maps connected drives based on registry 3 TTPs 28 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcf32.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxcf32.exe a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File opened for modification C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxcf32.exe a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe File opened for modification C:\Windows\SysWOW64\ igfxcf32.exe File created C:\Windows\SysWOW64\igfxcf32.exe igfxcf32.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 4696 set thread context of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 3236 set thread context of 4848 3236 igfxcf32.exe 97 PID 112 set thread context of 4136 112 igfxcf32.exe 99 PID 1956 set thread context of 2840 1956 igfxcf32.exe 104 PID 4876 set thread context of 5004 4876 igfxcf32.exe 106 PID 452 set thread context of 3652 452 igfxcf32.exe 108 PID 3044 set thread context of 1608 3044 igfxcf32.exe 111 PID 916 set thread context of 3972 916 igfxcf32.exe 113 PID 4000 set thread context of 220 4000 igfxcf32.exe 115 PID 4704 set thread context of 3684 4704 igfxcf32.exe 117 PID 4748 set thread context of 3748 4748 igfxcf32.exe 119 PID 4464 set thread context of 3680 4464 igfxcf32.exe 121 PID 3828 set thread context of 4268 3828 igfxcf32.exe 123 PID 4688 set thread context of 1068 4688 igfxcf32.exe 125 -
resource yara_rule behavioral2/memory/2344-1-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2344-4-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2344-5-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2344-6-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2344-33-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2344-41-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4848-48-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4848-50-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4848-54-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4136-62-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4136-66-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2840-73-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2840-76-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/5004-83-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/5004-85-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3652-93-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3652-97-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1608-105-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1608-109-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3972-116-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3972-120-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/220-127-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/220-131-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3684-138-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3684-142-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3748-149-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3748-152-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3680-159-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3680-163-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4268-171-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4268-175-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxcf32.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxcf32.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 2344 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 2344 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 2344 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 2344 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 4848 igfxcf32.exe 4848 igfxcf32.exe 4848 igfxcf32.exe 4848 igfxcf32.exe 4136 igfxcf32.exe 4136 igfxcf32.exe 4136 igfxcf32.exe 4136 igfxcf32.exe 2840 igfxcf32.exe 2840 igfxcf32.exe 2840 igfxcf32.exe 2840 igfxcf32.exe 5004 igfxcf32.exe 5004 igfxcf32.exe 5004 igfxcf32.exe 5004 igfxcf32.exe 3652 igfxcf32.exe 3652 igfxcf32.exe 3652 igfxcf32.exe 3652 igfxcf32.exe 1608 igfxcf32.exe 1608 igfxcf32.exe 1608 igfxcf32.exe 1608 igfxcf32.exe 3972 igfxcf32.exe 3972 igfxcf32.exe 3972 igfxcf32.exe 3972 igfxcf32.exe 220 igfxcf32.exe 220 igfxcf32.exe 220 igfxcf32.exe 220 igfxcf32.exe 3684 igfxcf32.exe 3684 igfxcf32.exe 3684 igfxcf32.exe 3684 igfxcf32.exe 3748 igfxcf32.exe 3748 igfxcf32.exe 3748 igfxcf32.exe 3748 igfxcf32.exe 3680 igfxcf32.exe 3680 igfxcf32.exe 3680 igfxcf32.exe 3680 igfxcf32.exe 4268 igfxcf32.exe 4268 igfxcf32.exe 4268 igfxcf32.exe 4268 igfxcf32.exe 1068 igfxcf32.exe 1068 igfxcf32.exe 1068 igfxcf32.exe 1068 igfxcf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4696 wrote to memory of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 4696 wrote to memory of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 4696 wrote to memory of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 4696 wrote to memory of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 4696 wrote to memory of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 4696 wrote to memory of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 4696 wrote to memory of 2344 4696 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 83 PID 2344 wrote to memory of 3236 2344 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 94 PID 2344 wrote to memory of 3236 2344 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 94 PID 2344 wrote to memory of 3236 2344 a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe 94 PID 3236 wrote to memory of 4848 3236 igfxcf32.exe 97 PID 3236 wrote to memory of 4848 3236 igfxcf32.exe 97 PID 3236 wrote to memory of 4848 3236 igfxcf32.exe 97 PID 3236 wrote to memory of 4848 3236 igfxcf32.exe 97 PID 3236 wrote to memory of 4848 3236 igfxcf32.exe 97 PID 3236 wrote to memory of 4848 3236 igfxcf32.exe 97 PID 3236 wrote to memory of 4848 3236 igfxcf32.exe 97 PID 4848 wrote to memory of 112 4848 igfxcf32.exe 98 PID 4848 wrote to memory of 112 4848 igfxcf32.exe 98 PID 4848 wrote to memory of 112 4848 igfxcf32.exe 98 PID 112 wrote to memory of 4136 112 igfxcf32.exe 99 PID 112 wrote to memory of 4136 112 igfxcf32.exe 99 PID 112 wrote to memory of 4136 112 igfxcf32.exe 99 PID 112 wrote to memory of 4136 112 igfxcf32.exe 99 PID 112 wrote to memory of 4136 112 igfxcf32.exe 99 PID 112 wrote to memory of 4136 112 igfxcf32.exe 99 PID 112 wrote to memory of 4136 112 igfxcf32.exe 99 PID 4136 wrote to memory of 1956 4136 igfxcf32.exe 103 PID 4136 wrote to memory of 1956 4136 igfxcf32.exe 103 PID 4136 wrote to memory of 1956 4136 igfxcf32.exe 103 PID 1956 wrote to memory of 2840 1956 igfxcf32.exe 104 PID 1956 wrote to memory of 2840 1956 igfxcf32.exe 104 PID 1956 wrote to memory of 2840 1956 igfxcf32.exe 104 PID 1956 wrote to memory of 2840 1956 igfxcf32.exe 104 PID 1956 wrote to memory of 2840 1956 igfxcf32.exe 104 PID 1956 wrote to memory of 2840 1956 igfxcf32.exe 104 PID 1956 wrote to memory of 2840 1956 igfxcf32.exe 104 PID 2840 wrote to memory of 4876 2840 igfxcf32.exe 105 PID 2840 wrote to memory of 4876 2840 igfxcf32.exe 105 PID 2840 wrote to memory of 4876 2840 igfxcf32.exe 105 PID 4876 wrote to memory of 5004 4876 igfxcf32.exe 106 PID 4876 wrote to memory of 5004 4876 igfxcf32.exe 106 PID 4876 wrote to memory of 5004 4876 igfxcf32.exe 106 PID 4876 wrote to memory of 5004 4876 igfxcf32.exe 106 PID 4876 wrote to memory of 5004 4876 igfxcf32.exe 106 PID 4876 wrote to memory of 5004 4876 igfxcf32.exe 106 PID 4876 wrote to memory of 5004 4876 igfxcf32.exe 106 PID 5004 wrote to memory of 452 5004 igfxcf32.exe 107 PID 5004 wrote to memory of 452 5004 igfxcf32.exe 107 PID 5004 wrote to memory of 452 5004 igfxcf32.exe 107 PID 452 wrote to memory of 3652 452 igfxcf32.exe 108 PID 452 wrote to memory of 3652 452 igfxcf32.exe 108 PID 452 wrote to memory of 3652 452 igfxcf32.exe 108 PID 452 wrote to memory of 3652 452 igfxcf32.exe 108 PID 452 wrote to memory of 3652 452 igfxcf32.exe 108 PID 452 wrote to memory of 3652 452 igfxcf32.exe 108 PID 452 wrote to memory of 3652 452 igfxcf32.exe 108 PID 3652 wrote to memory of 3044 3652 igfxcf32.exe 110 PID 3652 wrote to memory of 3044 3652 igfxcf32.exe 110 PID 3652 wrote to memory of 3044 3652 igfxcf32.exe 110 PID 3044 wrote to memory of 1608 3044 igfxcf32.exe 111 PID 3044 wrote to memory of 1608 3044 igfxcf32.exe 111 PID 3044 wrote to memory of 1608 3044 igfxcf32.exe 111 PID 3044 wrote to memory of 1608 3044 igfxcf32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5de8ee506b355479796ab5ce467db22_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Users\Admin\AppData\Local\Temp\A5DE8E~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Users\Admin\AppData\Local\Temp\A5DE8E~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3972 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:220 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3684 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3748 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3680 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3828 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4268 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4688 -
C:\Windows\SysWOW64\igfxcf32.exe"C:\Windows\system32\igfxcf32.exe" C:\Windows\SysWOW64\igfxcf32.exe28⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD5a5de8ee506b355479796ab5ce467db22
SHA109fc927ed73ef48bd36d3f809a9fd378db66d743
SHA256b9640548b82f669d809d1e190016c9ca882578e0cdb350f896cdb7bd07906746
SHA5128f005994d0a3dac469d624434bebfcbb3613873786ef09b743ebb90fe550d092efc6cef3796b91266f098fb1934b826a1529d9a0d9da01636080cd1e4b863f70