Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 23:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe
-
Size
174KB
-
MD5
ba989968b0b612fcd5be4f13420e90d7
-
SHA1
8eb5d17ac4a6930464426fc48a2c18c11150bbd5
-
SHA256
25852638935167770734c0ffd7577d03fda9f5f9d45155153f31abf2c5300ff0
-
SHA512
d884ff5ace0d8974f2240b3a0c7da1062d482932a96232e4301d4ab43ebd27b303981727ac0af567166f39b54b125bce237005892ad00b82eeceefd9e75a7a58
-
SSDEEP
3072:q6UHMux55clgTn/iHmKtzld4as4MhX7VCLpsM7dRrveuJwWRTw:BucgL/m4aHuXQh7LeuvRk
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2500 igfxwt32.exe -
Executes dropped EXE 29 IoCs
pid Process 2720 igfxwt32.exe 2500 igfxwt32.exe 1688 igfxwt32.exe 2024 igfxwt32.exe 2908 igfxwt32.exe 2868 igfxwt32.exe 2076 igfxwt32.exe 2924 igfxwt32.exe 2268 igfxwt32.exe 2220 igfxwt32.exe 1496 igfxwt32.exe 1144 igfxwt32.exe 1600 igfxwt32.exe 1780 igfxwt32.exe 1048 igfxwt32.exe 2772 igfxwt32.exe 1928 igfxwt32.exe 2124 igfxwt32.exe 3004 igfxwt32.exe 2716 igfxwt32.exe 2620 igfxwt32.exe 572 igfxwt32.exe 1832 igfxwt32.exe 2248 igfxwt32.exe 2356 igfxwt32.exe 2904 igfxwt32.exe 2780 igfxwt32.exe 1960 igfxwt32.exe 2136 igfxwt32.exe -
Loads dropped DLL 29 IoCs
pid Process 2816 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 2720 igfxwt32.exe 2500 igfxwt32.exe 1688 igfxwt32.exe 2024 igfxwt32.exe 2908 igfxwt32.exe 2868 igfxwt32.exe 2076 igfxwt32.exe 2924 igfxwt32.exe 2268 igfxwt32.exe 2220 igfxwt32.exe 1496 igfxwt32.exe 1144 igfxwt32.exe 1600 igfxwt32.exe 1780 igfxwt32.exe 1048 igfxwt32.exe 2772 igfxwt32.exe 1928 igfxwt32.exe 2124 igfxwt32.exe 3004 igfxwt32.exe 2716 igfxwt32.exe 2620 igfxwt32.exe 572 igfxwt32.exe 1832 igfxwt32.exe 2248 igfxwt32.exe 2356 igfxwt32.exe 2904 igfxwt32.exe 2780 igfxwt32.exe 1960 igfxwt32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2340 set thread context of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2720 set thread context of 2500 2720 igfxwt32.exe 32 PID 1688 set thread context of 2024 1688 igfxwt32.exe 35 PID 2908 set thread context of 2868 2908 igfxwt32.exe 37 PID 2076 set thread context of 2924 2076 igfxwt32.exe 39 PID 2268 set thread context of 2220 2268 igfxwt32.exe 41 PID 1496 set thread context of 1144 1496 igfxwt32.exe 43 PID 1600 set thread context of 1780 1600 igfxwt32.exe 45 PID 1048 set thread context of 2772 1048 igfxwt32.exe 47 PID 1928 set thread context of 2124 1928 igfxwt32.exe 49 PID 3004 set thread context of 2716 3004 igfxwt32.exe 51 PID 2620 set thread context of 572 2620 igfxwt32.exe 53 PID 1832 set thread context of 2248 1832 igfxwt32.exe 55 PID 2356 set thread context of 2904 2356 igfxwt32.exe 57 PID 2780 set thread context of 1960 2780 igfxwt32.exe 59 -
resource yara_rule behavioral1/memory/2816-4-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2816-9-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2816-8-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2816-7-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2816-3-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2816-6-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2816-2-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2816-19-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2500-30-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2500-32-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2500-29-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2500-31-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2500-37-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2024-47-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2024-48-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2024-53-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2868-63-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2868-64-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2868-70-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2924-81-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2924-80-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2924-82-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2924-87-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2220-103-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1144-119-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1780-135-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2772-151-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2124-167-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2716-177-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2716-184-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/572-200-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2248-211-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2248-218-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2904-233-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1960-242-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1960-246-0x0000000000400000-0x0000000000467000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2816 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 2816 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 2500 igfxwt32.exe 2500 igfxwt32.exe 2024 igfxwt32.exe 2024 igfxwt32.exe 2868 igfxwt32.exe 2868 igfxwt32.exe 2924 igfxwt32.exe 2924 igfxwt32.exe 2220 igfxwt32.exe 2220 igfxwt32.exe 1144 igfxwt32.exe 1144 igfxwt32.exe 1780 igfxwt32.exe 1780 igfxwt32.exe 2772 igfxwt32.exe 2772 igfxwt32.exe 2124 igfxwt32.exe 2124 igfxwt32.exe 2716 igfxwt32.exe 2716 igfxwt32.exe 572 igfxwt32.exe 572 igfxwt32.exe 2248 igfxwt32.exe 2248 igfxwt32.exe 2904 igfxwt32.exe 2904 igfxwt32.exe 1960 igfxwt32.exe 1960 igfxwt32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2816 2340 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2720 2816 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2720 2816 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2720 2816 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2720 2816 ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe 31 PID 2720 wrote to memory of 2500 2720 igfxwt32.exe 32 PID 2720 wrote to memory of 2500 2720 igfxwt32.exe 32 PID 2720 wrote to memory of 2500 2720 igfxwt32.exe 32 PID 2720 wrote to memory of 2500 2720 igfxwt32.exe 32 PID 2720 wrote to memory of 2500 2720 igfxwt32.exe 32 PID 2720 wrote to memory of 2500 2720 igfxwt32.exe 32 PID 2720 wrote to memory of 2500 2720 igfxwt32.exe 32 PID 2500 wrote to memory of 1688 2500 igfxwt32.exe 33 PID 2500 wrote to memory of 1688 2500 igfxwt32.exe 33 PID 2500 wrote to memory of 1688 2500 igfxwt32.exe 33 PID 2500 wrote to memory of 1688 2500 igfxwt32.exe 33 PID 1688 wrote to memory of 2024 1688 igfxwt32.exe 35 PID 1688 wrote to memory of 2024 1688 igfxwt32.exe 35 PID 1688 wrote to memory of 2024 1688 igfxwt32.exe 35 PID 1688 wrote to memory of 2024 1688 igfxwt32.exe 35 PID 1688 wrote to memory of 2024 1688 igfxwt32.exe 35 PID 1688 wrote to memory of 2024 1688 igfxwt32.exe 35 PID 1688 wrote to memory of 2024 1688 igfxwt32.exe 35 PID 2024 wrote to memory of 2908 2024 igfxwt32.exe 36 PID 2024 wrote to memory of 2908 2024 igfxwt32.exe 36 PID 2024 wrote to memory of 2908 2024 igfxwt32.exe 36 PID 2024 wrote to memory of 2908 2024 igfxwt32.exe 36 PID 2908 wrote to memory of 2868 2908 igfxwt32.exe 37 PID 2908 wrote to memory of 2868 2908 igfxwt32.exe 37 PID 2908 wrote to memory of 2868 2908 igfxwt32.exe 37 PID 2908 wrote to memory of 2868 2908 igfxwt32.exe 37 PID 2908 wrote to memory of 2868 2908 igfxwt32.exe 37 PID 2908 wrote to memory of 2868 2908 igfxwt32.exe 37 PID 2908 wrote to memory of 2868 2908 igfxwt32.exe 37 PID 2868 wrote to memory of 2076 2868 igfxwt32.exe 38 PID 2868 wrote to memory of 2076 2868 igfxwt32.exe 38 PID 2868 wrote to memory of 2076 2868 igfxwt32.exe 38 PID 2868 wrote to memory of 2076 2868 igfxwt32.exe 38 PID 2076 wrote to memory of 2924 2076 igfxwt32.exe 39 PID 2076 wrote to memory of 2924 2076 igfxwt32.exe 39 PID 2076 wrote to memory of 2924 2076 igfxwt32.exe 39 PID 2076 wrote to memory of 2924 2076 igfxwt32.exe 39 PID 2076 wrote to memory of 2924 2076 igfxwt32.exe 39 PID 2076 wrote to memory of 2924 2076 igfxwt32.exe 39 PID 2076 wrote to memory of 2924 2076 igfxwt32.exe 39 PID 2924 wrote to memory of 2268 2924 igfxwt32.exe 40 PID 2924 wrote to memory of 2268 2924 igfxwt32.exe 40 PID 2924 wrote to memory of 2268 2924 igfxwt32.exe 40 PID 2924 wrote to memory of 2268 2924 igfxwt32.exe 40 PID 2268 wrote to memory of 2220 2268 igfxwt32.exe 41 PID 2268 wrote to memory of 2220 2268 igfxwt32.exe 41 PID 2268 wrote to memory of 2220 2268 igfxwt32.exe 41 PID 2268 wrote to memory of 2220 2268 igfxwt32.exe 41 PID 2268 wrote to memory of 2220 2268 igfxwt32.exe 41 PID 2268 wrote to memory of 2220 2268 igfxwt32.exe 41 PID 2268 wrote to memory of 2220 2268 igfxwt32.exe 41 PID 2220 wrote to memory of 1496 2220 igfxwt32.exe 42 PID 2220 wrote to memory of 1496 2220 igfxwt32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba989968b0b612fcd5be4f13420e90d7_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Users\Admin\AppData\Local\Temp\BA9899~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Users\Admin\AppData\Local\Temp\BA9899~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1144 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2772 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:572 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1960 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe31⤵
- Executes dropped EXE
PID:2136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5ba989968b0b612fcd5be4f13420e90d7
SHA18eb5d17ac4a6930464426fc48a2c18c11150bbd5
SHA25625852638935167770734c0ffd7577d03fda9f5f9d45155153f31abf2c5300ff0
SHA512d884ff5ace0d8974f2240b3a0c7da1062d482932a96232e4301d4ab43ebd27b303981727ac0af567166f39b54b125bce237005892ad00b82eeceefd9e75a7a58