Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 10:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe
Resource
win7-20241023-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe
-
Size
168KB
-
MD5
d2189f7b113bf073b7e9f9a5d793d6bd
-
SHA1
2b33a7e571f5290993d10b632d11632e8120546e
-
SHA256
de15f27ab4de28510fd21208a16587b363d38f54768764e570b9efd037c226b7
-
SHA512
9e632202707358d8577fe9b99a1c1792ffb82348766b8ff402c789d17b6450b077cf34575e9b8ff93149ce08c58ed1a90ee03d9402daf3d7819375069baec865
-
SSDEEP
3072:Dq0PYeUvbN1fAJ52e/aC/YW1EEUUYZD/KAkM+AjDxAOokUVuYV5f+ou+fpw:mvTN1f/maC/YW1E3jZLXZZ8VuYCovhw
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwa32.exe -
Deletes itself 1 IoCs
pid Process 3768 igfxwa32.exe -
Executes dropped EXE 28 IoCs
pid Process 1984 igfxwa32.exe 3768 igfxwa32.exe 1652 igfxwa32.exe 4232 igfxwa32.exe 1748 igfxwa32.exe 740 igfxwa32.exe 3116 igfxwa32.exe 636 igfxwa32.exe 4792 igfxwa32.exe 1584 igfxwa32.exe 2360 igfxwa32.exe 3824 igfxwa32.exe 452 igfxwa32.exe 1812 igfxwa32.exe 1088 igfxwa32.exe 548 igfxwa32.exe 2828 igfxwa32.exe 2428 igfxwa32.exe 2412 igfxwa32.exe 4912 igfxwa32.exe 2276 igfxwa32.exe 3044 igfxwa32.exe 2728 igfxwa32.exe 1652 igfxwa32.exe 2092 igfxwa32.exe 4744 igfxwa32.exe 1016 igfxwa32.exe 4344 igfxwa32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3152 set thread context of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 1984 set thread context of 3768 1984 igfxwa32.exe 91 PID 1652 set thread context of 4232 1652 igfxwa32.exe 93 PID 1748 set thread context of 740 1748 igfxwa32.exe 97 PID 3116 set thread context of 636 3116 igfxwa32.exe 99 PID 4792 set thread context of 1584 4792 igfxwa32.exe 101 PID 2360 set thread context of 3824 2360 igfxwa32.exe 103 PID 452 set thread context of 1812 452 igfxwa32.exe 105 PID 1088 set thread context of 548 1088 igfxwa32.exe 107 PID 2828 set thread context of 2428 2828 igfxwa32.exe 109 PID 2412 set thread context of 4912 2412 igfxwa32.exe 111 PID 2276 set thread context of 3044 2276 igfxwa32.exe 113 PID 2728 set thread context of 1652 2728 igfxwa32.exe 115 PID 2092 set thread context of 4744 2092 igfxwa32.exe 117 PID 1016 set thread context of 4344 1016 igfxwa32.exe 119 -
resource yara_rule behavioral2/memory/3648-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3648-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3648-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3648-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3648-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3768-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3768-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4232-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/740-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/636-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1584-78-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3824-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1812-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/548-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2428-107-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4912-113-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3044-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1652-129-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4744-137-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3648 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 3648 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 3648 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 3648 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 3768 igfxwa32.exe 3768 igfxwa32.exe 3768 igfxwa32.exe 3768 igfxwa32.exe 4232 igfxwa32.exe 4232 igfxwa32.exe 4232 igfxwa32.exe 4232 igfxwa32.exe 740 igfxwa32.exe 740 igfxwa32.exe 740 igfxwa32.exe 740 igfxwa32.exe 636 igfxwa32.exe 636 igfxwa32.exe 636 igfxwa32.exe 636 igfxwa32.exe 1584 igfxwa32.exe 1584 igfxwa32.exe 1584 igfxwa32.exe 1584 igfxwa32.exe 3824 igfxwa32.exe 3824 igfxwa32.exe 3824 igfxwa32.exe 3824 igfxwa32.exe 1812 igfxwa32.exe 1812 igfxwa32.exe 1812 igfxwa32.exe 1812 igfxwa32.exe 548 igfxwa32.exe 548 igfxwa32.exe 548 igfxwa32.exe 548 igfxwa32.exe 2428 igfxwa32.exe 2428 igfxwa32.exe 2428 igfxwa32.exe 2428 igfxwa32.exe 4912 igfxwa32.exe 4912 igfxwa32.exe 4912 igfxwa32.exe 4912 igfxwa32.exe 3044 igfxwa32.exe 3044 igfxwa32.exe 3044 igfxwa32.exe 3044 igfxwa32.exe 1652 igfxwa32.exe 1652 igfxwa32.exe 1652 igfxwa32.exe 1652 igfxwa32.exe 4744 igfxwa32.exe 4744 igfxwa32.exe 4744 igfxwa32.exe 4744 igfxwa32.exe 4344 igfxwa32.exe 4344 igfxwa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3152 wrote to memory of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 3152 wrote to memory of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 3152 wrote to memory of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 3152 wrote to memory of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 3152 wrote to memory of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 3152 wrote to memory of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 3152 wrote to memory of 3648 3152 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 86 PID 3648 wrote to memory of 1984 3648 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 88 PID 3648 wrote to memory of 1984 3648 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 88 PID 3648 wrote to memory of 1984 3648 d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe 88 PID 1984 wrote to memory of 3768 1984 igfxwa32.exe 91 PID 1984 wrote to memory of 3768 1984 igfxwa32.exe 91 PID 1984 wrote to memory of 3768 1984 igfxwa32.exe 91 PID 1984 wrote to memory of 3768 1984 igfxwa32.exe 91 PID 1984 wrote to memory of 3768 1984 igfxwa32.exe 91 PID 1984 wrote to memory of 3768 1984 igfxwa32.exe 91 PID 1984 wrote to memory of 3768 1984 igfxwa32.exe 91 PID 3768 wrote to memory of 1652 3768 igfxwa32.exe 92 PID 3768 wrote to memory of 1652 3768 igfxwa32.exe 92 PID 3768 wrote to memory of 1652 3768 igfxwa32.exe 92 PID 1652 wrote to memory of 4232 1652 igfxwa32.exe 93 PID 1652 wrote to memory of 4232 1652 igfxwa32.exe 93 PID 1652 wrote to memory of 4232 1652 igfxwa32.exe 93 PID 1652 wrote to memory of 4232 1652 igfxwa32.exe 93 PID 1652 wrote to memory of 4232 1652 igfxwa32.exe 93 PID 1652 wrote to memory of 4232 1652 igfxwa32.exe 93 PID 1652 wrote to memory of 4232 1652 igfxwa32.exe 93 PID 4232 wrote to memory of 1748 4232 igfxwa32.exe 95 PID 4232 wrote to memory of 1748 4232 igfxwa32.exe 95 PID 4232 wrote to memory of 1748 4232 igfxwa32.exe 95 PID 1748 wrote to memory of 740 1748 igfxwa32.exe 97 PID 1748 wrote to memory of 740 1748 igfxwa32.exe 97 PID 1748 wrote to memory of 740 1748 igfxwa32.exe 97 PID 1748 wrote to memory of 740 1748 igfxwa32.exe 97 PID 1748 wrote to memory of 740 1748 igfxwa32.exe 97 PID 1748 wrote to memory of 740 1748 igfxwa32.exe 97 PID 1748 wrote to memory of 740 1748 igfxwa32.exe 97 PID 740 wrote to memory of 3116 740 igfxwa32.exe 98 PID 740 wrote to memory of 3116 740 igfxwa32.exe 98 PID 740 wrote to memory of 3116 740 igfxwa32.exe 98 PID 3116 wrote to memory of 636 3116 igfxwa32.exe 99 PID 3116 wrote to memory of 636 3116 igfxwa32.exe 99 PID 3116 wrote to memory of 636 3116 igfxwa32.exe 99 PID 3116 wrote to memory of 636 3116 igfxwa32.exe 99 PID 3116 wrote to memory of 636 3116 igfxwa32.exe 99 PID 3116 wrote to memory of 636 3116 igfxwa32.exe 99 PID 3116 wrote to memory of 636 3116 igfxwa32.exe 99 PID 636 wrote to memory of 4792 636 igfxwa32.exe 100 PID 636 wrote to memory of 4792 636 igfxwa32.exe 100 PID 636 wrote to memory of 4792 636 igfxwa32.exe 100 PID 4792 wrote to memory of 1584 4792 igfxwa32.exe 101 PID 4792 wrote to memory of 1584 4792 igfxwa32.exe 101 PID 4792 wrote to memory of 1584 4792 igfxwa32.exe 101 PID 4792 wrote to memory of 1584 4792 igfxwa32.exe 101 PID 4792 wrote to memory of 1584 4792 igfxwa32.exe 101 PID 4792 wrote to memory of 1584 4792 igfxwa32.exe 101 PID 4792 wrote to memory of 1584 4792 igfxwa32.exe 101 PID 1584 wrote to memory of 2360 1584 igfxwa32.exe 102 PID 1584 wrote to memory of 2360 1584 igfxwa32.exe 102 PID 1584 wrote to memory of 2360 1584 igfxwa32.exe 102 PID 2360 wrote to memory of 3824 2360 igfxwa32.exe 103 PID 2360 wrote to memory of 3824 2360 igfxwa32.exe 103 PID 2360 wrote to memory of 3824 2360 igfxwa32.exe 103 PID 2360 wrote to memory of 3824 2360 igfxwa32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d2189f7b113bf073b7e9f9a5d793d6bd_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\D2189F~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\D2189F~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3824 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:452 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:548 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4912 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4744 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe30⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5d2189f7b113bf073b7e9f9a5d793d6bd
SHA12b33a7e571f5290993d10b632d11632e8120546e
SHA256de15f27ab4de28510fd21208a16587b363d38f54768764e570b9efd037c226b7
SHA5129e632202707358d8577fe9b99a1c1792ffb82348766b8ff402c789d17b6450b077cf34575e9b8ff93149ce08c58ed1a90ee03d9402daf3d7819375069baec865