Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 03:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe
-
Size
168KB
-
MD5
c5c9cc18ecfdf1dd5e77163539206ce1
-
SHA1
4a15c7813fc60e06047205515901bb89094b3a4a
-
SHA256
7bc761e7341be0a72eb4d4afff7cc1970c46cec2cf5851949b363626d04e2d22
-
SHA512
69f8ae1277c42a0b12685e2d84cb73b5e90f3411af40fbad003d774fd4529fd414a5e2f5b8ec177ab9b5a4d6f42089ecb91e7401c9779a481d7ed7fbc24b9744
-
SSDEEP
3072:Xh7IT11ifB55719lbskv2V2U1+8uEqWzv1VDCtwwTK4oYC86IGVP1QTjT:611iflBbLQ9FqWzdV2bTK4oZxIIP1QTH
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 3080 igfxwk32.exe -
Executes dropped EXE 29 IoCs
pid Process 4548 igfxwk32.exe 3080 igfxwk32.exe 4020 igfxwk32.exe 2748 igfxwk32.exe 1944 igfxwk32.exe 4024 igfxwk32.exe 2404 igfxwk32.exe 4412 igfxwk32.exe 5092 igfxwk32.exe 848 igfxwk32.exe 3668 igfxwk32.exe 2696 igfxwk32.exe 4060 igfxwk32.exe 1068 igfxwk32.exe 3680 igfxwk32.exe 3768 igfxwk32.exe 4208 igfxwk32.exe 3808 igfxwk32.exe 1000 igfxwk32.exe 3912 igfxwk32.exe 4956 igfxwk32.exe 2064 igfxwk32.exe 4780 igfxwk32.exe 2464 igfxwk32.exe 852 igfxwk32.exe 4732 igfxwk32.exe 2136 igfxwk32.exe 1208 igfxwk32.exe 4352 igfxwk32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2352 set thread context of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 4548 set thread context of 3080 4548 igfxwk32.exe 97 PID 4020 set thread context of 2748 4020 igfxwk32.exe 99 PID 1944 set thread context of 4024 1944 igfxwk32.exe 104 PID 2404 set thread context of 4412 2404 igfxwk32.exe 106 PID 5092 set thread context of 848 5092 igfxwk32.exe 108 PID 3668 set thread context of 2696 3668 igfxwk32.exe 110 PID 4060 set thread context of 1068 4060 igfxwk32.exe 112 PID 3680 set thread context of 3768 3680 igfxwk32.exe 114 PID 4208 set thread context of 3808 4208 igfxwk32.exe 116 PID 1000 set thread context of 3912 1000 igfxwk32.exe 118 PID 4956 set thread context of 2064 4956 igfxwk32.exe 120 PID 4780 set thread context of 2464 4780 igfxwk32.exe 122 PID 852 set thread context of 4732 852 igfxwk32.exe 124 PID 2136 set thread context of 1208 2136 igfxwk32.exe 126 -
resource yara_rule behavioral2/memory/384-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/384-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/384-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/384-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/384-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3080-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3080-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2748-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4024-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4412-70-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/848-77-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2696-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1068-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3768-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3808-106-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3912-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3912-114-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2064-123-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2464-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4732-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1208-147-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 384 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 384 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 384 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 384 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 3080 igfxwk32.exe 3080 igfxwk32.exe 3080 igfxwk32.exe 3080 igfxwk32.exe 2748 igfxwk32.exe 2748 igfxwk32.exe 2748 igfxwk32.exe 2748 igfxwk32.exe 4024 igfxwk32.exe 4024 igfxwk32.exe 4024 igfxwk32.exe 4024 igfxwk32.exe 4412 igfxwk32.exe 4412 igfxwk32.exe 4412 igfxwk32.exe 4412 igfxwk32.exe 848 igfxwk32.exe 848 igfxwk32.exe 848 igfxwk32.exe 848 igfxwk32.exe 2696 igfxwk32.exe 2696 igfxwk32.exe 2696 igfxwk32.exe 2696 igfxwk32.exe 1068 igfxwk32.exe 1068 igfxwk32.exe 1068 igfxwk32.exe 1068 igfxwk32.exe 3768 igfxwk32.exe 3768 igfxwk32.exe 3768 igfxwk32.exe 3768 igfxwk32.exe 3808 igfxwk32.exe 3808 igfxwk32.exe 3808 igfxwk32.exe 3808 igfxwk32.exe 3912 igfxwk32.exe 3912 igfxwk32.exe 3912 igfxwk32.exe 3912 igfxwk32.exe 2064 igfxwk32.exe 2064 igfxwk32.exe 2064 igfxwk32.exe 2064 igfxwk32.exe 2464 igfxwk32.exe 2464 igfxwk32.exe 2464 igfxwk32.exe 2464 igfxwk32.exe 4732 igfxwk32.exe 4732 igfxwk32.exe 4732 igfxwk32.exe 4732 igfxwk32.exe 1208 igfxwk32.exe 1208 igfxwk32.exe 1208 igfxwk32.exe 1208 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 2352 wrote to memory of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 2352 wrote to memory of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 2352 wrote to memory of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 2352 wrote to memory of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 2352 wrote to memory of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 2352 wrote to memory of 384 2352 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 83 PID 384 wrote to memory of 4548 384 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 90 PID 384 wrote to memory of 4548 384 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 90 PID 384 wrote to memory of 4548 384 c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe 90 PID 4548 wrote to memory of 3080 4548 igfxwk32.exe 97 PID 4548 wrote to memory of 3080 4548 igfxwk32.exe 97 PID 4548 wrote to memory of 3080 4548 igfxwk32.exe 97 PID 4548 wrote to memory of 3080 4548 igfxwk32.exe 97 PID 4548 wrote to memory of 3080 4548 igfxwk32.exe 97 PID 4548 wrote to memory of 3080 4548 igfxwk32.exe 97 PID 4548 wrote to memory of 3080 4548 igfxwk32.exe 97 PID 3080 wrote to memory of 4020 3080 igfxwk32.exe 98 PID 3080 wrote to memory of 4020 3080 igfxwk32.exe 98 PID 3080 wrote to memory of 4020 3080 igfxwk32.exe 98 PID 4020 wrote to memory of 2748 4020 igfxwk32.exe 99 PID 4020 wrote to memory of 2748 4020 igfxwk32.exe 99 PID 4020 wrote to memory of 2748 4020 igfxwk32.exe 99 PID 4020 wrote to memory of 2748 4020 igfxwk32.exe 99 PID 4020 wrote to memory of 2748 4020 igfxwk32.exe 99 PID 4020 wrote to memory of 2748 4020 igfxwk32.exe 99 PID 4020 wrote to memory of 2748 4020 igfxwk32.exe 99 PID 2748 wrote to memory of 1944 2748 igfxwk32.exe 102 PID 2748 wrote to memory of 1944 2748 igfxwk32.exe 102 PID 2748 wrote to memory of 1944 2748 igfxwk32.exe 102 PID 1944 wrote to memory of 4024 1944 igfxwk32.exe 104 PID 1944 wrote to memory of 4024 1944 igfxwk32.exe 104 PID 1944 wrote to memory of 4024 1944 igfxwk32.exe 104 PID 1944 wrote to memory of 4024 1944 igfxwk32.exe 104 PID 1944 wrote to memory of 4024 1944 igfxwk32.exe 104 PID 1944 wrote to memory of 4024 1944 igfxwk32.exe 104 PID 1944 wrote to memory of 4024 1944 igfxwk32.exe 104 PID 4024 wrote to memory of 2404 4024 igfxwk32.exe 105 PID 4024 wrote to memory of 2404 4024 igfxwk32.exe 105 PID 4024 wrote to memory of 2404 4024 igfxwk32.exe 105 PID 2404 wrote to memory of 4412 2404 igfxwk32.exe 106 PID 2404 wrote to memory of 4412 2404 igfxwk32.exe 106 PID 2404 wrote to memory of 4412 2404 igfxwk32.exe 106 PID 2404 wrote to memory of 4412 2404 igfxwk32.exe 106 PID 2404 wrote to memory of 4412 2404 igfxwk32.exe 106 PID 2404 wrote to memory of 4412 2404 igfxwk32.exe 106 PID 2404 wrote to memory of 4412 2404 igfxwk32.exe 106 PID 4412 wrote to memory of 5092 4412 igfxwk32.exe 107 PID 4412 wrote to memory of 5092 4412 igfxwk32.exe 107 PID 4412 wrote to memory of 5092 4412 igfxwk32.exe 107 PID 5092 wrote to memory of 848 5092 igfxwk32.exe 108 PID 5092 wrote to memory of 848 5092 igfxwk32.exe 108 PID 5092 wrote to memory of 848 5092 igfxwk32.exe 108 PID 5092 wrote to memory of 848 5092 igfxwk32.exe 108 PID 5092 wrote to memory of 848 5092 igfxwk32.exe 108 PID 5092 wrote to memory of 848 5092 igfxwk32.exe 108 PID 5092 wrote to memory of 848 5092 igfxwk32.exe 108 PID 848 wrote to memory of 3668 848 igfxwk32.exe 109 PID 848 wrote to memory of 3668 848 igfxwk32.exe 109 PID 848 wrote to memory of 3668 848 igfxwk32.exe 109 PID 3668 wrote to memory of 2696 3668 igfxwk32.exe 110 PID 3668 wrote to memory of 2696 3668 igfxwk32.exe 110 PID 3668 wrote to memory of 2696 3668 igfxwk32.exe 110 PID 3668 wrote to memory of 2696 3668 igfxwk32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c5c9cc18ecfdf1dd5e77163539206ce1_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\C5C9CC~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\C5C9CC~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1068 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3768 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3912 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2064 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2464 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4732 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1208 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
PID:4352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5c5c9cc18ecfdf1dd5e77163539206ce1
SHA14a15c7813fc60e06047205515901bb89094b3a4a
SHA2567bc761e7341be0a72eb4d4afff7cc1970c46cec2cf5851949b363626d04e2d22
SHA51269f8ae1277c42a0b12685e2d84cb73b5e90f3411af40fbad003d774fd4529fd414a5e2f5b8ec177ab9b5a4d6f42089ecb91e7401c9779a481d7ed7fbc24b9744