Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 05:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe
-
Size
169KB
-
MD5
a62a9926798173f4c3e39ddd6f50de32
-
SHA1
9f8185187a37944a644bf680477bef36a4a97c55
-
SHA256
150fd9481857647a761596949c2de1baa86433b98d7eb394868ab9c2d9f1dd37
-
SHA512
5e1856341fac59b622bba7c33b6a6fc52e2307894132653d3a57d92ab89682bf593e956f4a1e374709a1da996960c64a9666596bb35e86cd2270038938b5fda9
-
SSDEEP
3072:92uRK0VYRg+yPbQNps8UBZgCwiMRPSmBnWppAuEklwERp:BbYP5UBZgCAPSW0KuEk3p
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe -
Deletes itself 1 IoCs
pid Process 372 igfxwp32.exe -
Executes dropped EXE 32 IoCs
pid Process 4552 igfxwp32.exe 372 igfxwp32.exe 2976 igfxwp32.exe 1656 igfxwp32.exe 3004 igfxwp32.exe 2768 igfxwp32.exe 3468 igfxwp32.exe 1384 igfxwp32.exe 4312 igfxwp32.exe 3260 igfxwp32.exe 3580 igfxwp32.exe 4332 igfxwp32.exe 4968 igfxwp32.exe 5020 igfxwp32.exe 804 igfxwp32.exe 3528 igfxwp32.exe 1108 igfxwp32.exe 3020 igfxwp32.exe 3568 igfxwp32.exe 3068 igfxwp32.exe 3012 igfxwp32.exe 924 igfxwp32.exe 4688 igfxwp32.exe 3976 igfxwp32.exe 4460 igfxwp32.exe 2976 igfxwp32.exe 1100 igfxwp32.exe 4268 igfxwp32.exe 3888 igfxwp32.exe 3468 igfxwp32.exe 1568 igfxwp32.exe 4424 igfxwp32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4560 set thread context of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 4552 set thread context of 372 4552 igfxwp32.exe 96 PID 2976 set thread context of 1656 2976 igfxwp32.exe 98 PID 3004 set thread context of 2768 3004 igfxwp32.exe 103 PID 3468 set thread context of 1384 3468 igfxwp32.exe 105 PID 4312 set thread context of 3260 4312 igfxwp32.exe 107 PID 3580 set thread context of 4332 3580 igfxwp32.exe 109 PID 4968 set thread context of 5020 4968 igfxwp32.exe 111 PID 804 set thread context of 3528 804 igfxwp32.exe 113 PID 1108 set thread context of 3020 1108 igfxwp32.exe 115 PID 3568 set thread context of 3068 3568 igfxwp32.exe 117 PID 3012 set thread context of 924 3012 igfxwp32.exe 119 PID 4688 set thread context of 3976 4688 igfxwp32.exe 121 PID 4460 set thread context of 2976 4460 igfxwp32.exe 123 PID 1100 set thread context of 4268 1100 igfxwp32.exe 125 PID 3888 set thread context of 3468 3888 igfxwp32.exe 127 PID 1568 set thread context of 4424 1568 igfxwp32.exe 129 -
resource yara_rule behavioral2/memory/3052-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3052-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3052-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3052-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3052-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/372-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/372-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/372-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/372-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1656-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2768-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1384-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3260-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4332-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5020-90-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3528-97-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3020-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3068-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/924-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3976-129-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2976-138-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4268-146-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3468-154-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 3052 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 3052 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 3052 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 3052 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 4552 igfxwp32.exe 4552 igfxwp32.exe 372 igfxwp32.exe 372 igfxwp32.exe 372 igfxwp32.exe 372 igfxwp32.exe 2976 igfxwp32.exe 2976 igfxwp32.exe 1656 igfxwp32.exe 1656 igfxwp32.exe 1656 igfxwp32.exe 1656 igfxwp32.exe 3004 igfxwp32.exe 3004 igfxwp32.exe 2768 igfxwp32.exe 2768 igfxwp32.exe 2768 igfxwp32.exe 2768 igfxwp32.exe 3468 igfxwp32.exe 3468 igfxwp32.exe 1384 igfxwp32.exe 1384 igfxwp32.exe 1384 igfxwp32.exe 1384 igfxwp32.exe 4312 igfxwp32.exe 4312 igfxwp32.exe 3260 igfxwp32.exe 3260 igfxwp32.exe 3260 igfxwp32.exe 3260 igfxwp32.exe 3580 igfxwp32.exe 3580 igfxwp32.exe 4332 igfxwp32.exe 4332 igfxwp32.exe 4332 igfxwp32.exe 4332 igfxwp32.exe 4968 igfxwp32.exe 4968 igfxwp32.exe 5020 igfxwp32.exe 5020 igfxwp32.exe 5020 igfxwp32.exe 5020 igfxwp32.exe 804 igfxwp32.exe 804 igfxwp32.exe 3528 igfxwp32.exe 3528 igfxwp32.exe 3528 igfxwp32.exe 3528 igfxwp32.exe 1108 igfxwp32.exe 1108 igfxwp32.exe 3020 igfxwp32.exe 3020 igfxwp32.exe 3020 igfxwp32.exe 3020 igfxwp32.exe 3568 igfxwp32.exe 3568 igfxwp32.exe 3068 igfxwp32.exe 3068 igfxwp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4560 wrote to memory of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 4560 wrote to memory of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 4560 wrote to memory of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 4560 wrote to memory of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 4560 wrote to memory of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 4560 wrote to memory of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 4560 wrote to memory of 3052 4560 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 91 PID 3052 wrote to memory of 4552 3052 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 95 PID 3052 wrote to memory of 4552 3052 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 95 PID 3052 wrote to memory of 4552 3052 a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe 95 PID 4552 wrote to memory of 372 4552 igfxwp32.exe 96 PID 4552 wrote to memory of 372 4552 igfxwp32.exe 96 PID 4552 wrote to memory of 372 4552 igfxwp32.exe 96 PID 4552 wrote to memory of 372 4552 igfxwp32.exe 96 PID 4552 wrote to memory of 372 4552 igfxwp32.exe 96 PID 4552 wrote to memory of 372 4552 igfxwp32.exe 96 PID 4552 wrote to memory of 372 4552 igfxwp32.exe 96 PID 372 wrote to memory of 2976 372 igfxwp32.exe 97 PID 372 wrote to memory of 2976 372 igfxwp32.exe 97 PID 372 wrote to memory of 2976 372 igfxwp32.exe 97 PID 2976 wrote to memory of 1656 2976 igfxwp32.exe 98 PID 2976 wrote to memory of 1656 2976 igfxwp32.exe 98 PID 2976 wrote to memory of 1656 2976 igfxwp32.exe 98 PID 2976 wrote to memory of 1656 2976 igfxwp32.exe 98 PID 2976 wrote to memory of 1656 2976 igfxwp32.exe 98 PID 2976 wrote to memory of 1656 2976 igfxwp32.exe 98 PID 2976 wrote to memory of 1656 2976 igfxwp32.exe 98 PID 1656 wrote to memory of 3004 1656 igfxwp32.exe 99 PID 1656 wrote to memory of 3004 1656 igfxwp32.exe 99 PID 1656 wrote to memory of 3004 1656 igfxwp32.exe 99 PID 3004 wrote to memory of 2768 3004 igfxwp32.exe 103 PID 3004 wrote to memory of 2768 3004 igfxwp32.exe 103 PID 3004 wrote to memory of 2768 3004 igfxwp32.exe 103 PID 3004 wrote to memory of 2768 3004 igfxwp32.exe 103 PID 3004 wrote to memory of 2768 3004 igfxwp32.exe 103 PID 3004 wrote to memory of 2768 3004 igfxwp32.exe 103 PID 3004 wrote to memory of 2768 3004 igfxwp32.exe 103 PID 2768 wrote to memory of 3468 2768 igfxwp32.exe 104 PID 2768 wrote to memory of 3468 2768 igfxwp32.exe 104 PID 2768 wrote to memory of 3468 2768 igfxwp32.exe 104 PID 3468 wrote to memory of 1384 3468 igfxwp32.exe 105 PID 3468 wrote to memory of 1384 3468 igfxwp32.exe 105 PID 3468 wrote to memory of 1384 3468 igfxwp32.exe 105 PID 3468 wrote to memory of 1384 3468 igfxwp32.exe 105 PID 3468 wrote to memory of 1384 3468 igfxwp32.exe 105 PID 3468 wrote to memory of 1384 3468 igfxwp32.exe 105 PID 3468 wrote to memory of 1384 3468 igfxwp32.exe 105 PID 1384 wrote to memory of 4312 1384 igfxwp32.exe 106 PID 1384 wrote to memory of 4312 1384 igfxwp32.exe 106 PID 1384 wrote to memory of 4312 1384 igfxwp32.exe 106 PID 4312 wrote to memory of 3260 4312 igfxwp32.exe 107 PID 4312 wrote to memory of 3260 4312 igfxwp32.exe 107 PID 4312 wrote to memory of 3260 4312 igfxwp32.exe 107 PID 4312 wrote to memory of 3260 4312 igfxwp32.exe 107 PID 4312 wrote to memory of 3260 4312 igfxwp32.exe 107 PID 4312 wrote to memory of 3260 4312 igfxwp32.exe 107 PID 4312 wrote to memory of 3260 4312 igfxwp32.exe 107 PID 3260 wrote to memory of 3580 3260 igfxwp32.exe 108 PID 3260 wrote to memory of 3580 3260 igfxwp32.exe 108 PID 3260 wrote to memory of 3580 3260 igfxwp32.exe 108 PID 3580 wrote to memory of 4332 3580 igfxwp32.exe 109 PID 3580 wrote to memory of 4332 3580 igfxwp32.exe 109 PID 3580 wrote to memory of 4332 3580 igfxwp32.exe 109 PID 3580 wrote to memory of 4332 3580 igfxwp32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a62a9926798173f4c3e39ddd6f50de32_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\A62A99~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\A62A99~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4332 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4968 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5020 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:804 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3528 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1108 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3568 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4688 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:4424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5a62a9926798173f4c3e39ddd6f50de32
SHA19f8185187a37944a644bf680477bef36a4a97c55
SHA256150fd9481857647a761596949c2de1baa86433b98d7eb394868ab9c2d9f1dd37
SHA5125e1856341fac59b622bba7c33b6a6fc52e2307894132653d3a57d92ab89682bf593e956f4a1e374709a1da996960c64a9666596bb35e86cd2270038938b5fda9