Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 18:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe
-
Size
195KB
-
MD5
dae49c78b1aae3697fc7bbe56c10608e
-
SHA1
adeffe2028d175e81ae049b27ad5b969eaa78a13
-
SHA256
2826bfe269db279cfdd4f29dbc5525ce3b5ce95dd0f50e89a46cc6223e2efdd7
-
SHA512
08ffaaee84601da5c2d8dc080fdeea081b2385c83fcdcf410febac1a68222793b72005ea8ca3a3ca89b635fcae7a82d9469205a551b3306457e730a2946b251c
-
SSDEEP
3072:o2l12n3IaVLO5+JTPXkMHW45fdCBpb5aQvkHy3U6tsZYQfaxYPHte1tgL:mIaVCAFW8lU0QsydeJHl
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2364 igfxwp32.exe -
Executes dropped EXE 31 IoCs
pid Process 2152 igfxwp32.exe 2364 igfxwp32.exe 2792 igfxwp32.exe 2660 igfxwp32.exe 1400 igfxwp32.exe 1816 igfxwp32.exe 2024 igfxwp32.exe 1992 igfxwp32.exe 2856 igfxwp32.exe 3068 igfxwp32.exe 1648 igfxwp32.exe 440 igfxwp32.exe 1200 igfxwp32.exe 3020 igfxwp32.exe 2448 igfxwp32.exe 628 igfxwp32.exe 544 igfxwp32.exe 1916 igfxwp32.exe 2052 igfxwp32.exe 2940 igfxwp32.exe 2064 igfxwp32.exe 2652 igfxwp32.exe 2972 igfxwp32.exe 2684 igfxwp32.exe 832 igfxwp32.exe 1736 igfxwp32.exe 1860 igfxwp32.exe 1444 igfxwp32.exe 2656 igfxwp32.exe 2716 igfxwp32.exe 1776 igfxwp32.exe -
Loads dropped DLL 31 IoCs
pid Process 2376 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 2152 igfxwp32.exe 2364 igfxwp32.exe 2792 igfxwp32.exe 2660 igfxwp32.exe 1400 igfxwp32.exe 1816 igfxwp32.exe 2024 igfxwp32.exe 1992 igfxwp32.exe 2856 igfxwp32.exe 3068 igfxwp32.exe 1648 igfxwp32.exe 440 igfxwp32.exe 1200 igfxwp32.exe 3020 igfxwp32.exe 2448 igfxwp32.exe 628 igfxwp32.exe 544 igfxwp32.exe 1916 igfxwp32.exe 2052 igfxwp32.exe 2940 igfxwp32.exe 2064 igfxwp32.exe 2652 igfxwp32.exe 2972 igfxwp32.exe 2684 igfxwp32.exe 832 igfxwp32.exe 1736 igfxwp32.exe 1860 igfxwp32.exe 1444 igfxwp32.exe 2656 igfxwp32.exe 2716 igfxwp32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwp32.exe dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 1964 set thread context of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 2152 set thread context of 2364 2152 igfxwp32.exe 33 PID 2792 set thread context of 2660 2792 igfxwp32.exe 35 PID 1400 set thread context of 1816 1400 igfxwp32.exe 37 PID 2024 set thread context of 1992 2024 igfxwp32.exe 39 PID 2856 set thread context of 3068 2856 igfxwp32.exe 41 PID 1648 set thread context of 440 1648 igfxwp32.exe 43 PID 1200 set thread context of 3020 1200 igfxwp32.exe 45 PID 2448 set thread context of 628 2448 igfxwp32.exe 47 PID 544 set thread context of 1916 544 igfxwp32.exe 49 PID 2052 set thread context of 2940 2052 igfxwp32.exe 51 PID 2064 set thread context of 2652 2064 igfxwp32.exe 53 PID 2972 set thread context of 2684 2972 igfxwp32.exe 55 PID 832 set thread context of 1736 832 igfxwp32.exe 57 PID 1860 set thread context of 1444 1860 igfxwp32.exe 59 PID 2656 set thread context of 2716 2656 igfxwp32.exe 61 -
resource yara_rule behavioral1/memory/2376-12-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2376-10-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2376-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2376-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2376-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2376-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2376-11-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2376-22-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2364-34-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2364-33-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2364-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2364-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-50-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-52-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-51-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-56-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1816-68-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1816-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1816-67-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1816-74-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1992-86-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1992-87-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1992-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1992-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3068-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/440-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/440-125-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3020-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3020-144-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/628-154-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/628-160-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1916-171-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1916-179-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2940-195-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2652-205-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2652-213-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2684-228-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1736-246-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1444-260-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-268-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-273-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 2376 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 2376 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 2152 igfxwp32.exe 2364 igfxwp32.exe 2364 igfxwp32.exe 2792 igfxwp32.exe 2660 igfxwp32.exe 2660 igfxwp32.exe 1400 igfxwp32.exe 1816 igfxwp32.exe 1816 igfxwp32.exe 2024 igfxwp32.exe 1992 igfxwp32.exe 1992 igfxwp32.exe 2856 igfxwp32.exe 3068 igfxwp32.exe 3068 igfxwp32.exe 1648 igfxwp32.exe 440 igfxwp32.exe 440 igfxwp32.exe 1200 igfxwp32.exe 3020 igfxwp32.exe 3020 igfxwp32.exe 2448 igfxwp32.exe 628 igfxwp32.exe 628 igfxwp32.exe 544 igfxwp32.exe 1916 igfxwp32.exe 1916 igfxwp32.exe 2052 igfxwp32.exe 2940 igfxwp32.exe 2940 igfxwp32.exe 2064 igfxwp32.exe 2652 igfxwp32.exe 2652 igfxwp32.exe 2972 igfxwp32.exe 2684 igfxwp32.exe 2684 igfxwp32.exe 832 igfxwp32.exe 1736 igfxwp32.exe 1736 igfxwp32.exe 1860 igfxwp32.exe 1444 igfxwp32.exe 1444 igfxwp32.exe 2656 igfxwp32.exe 2716 igfxwp32.exe 2716 igfxwp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2376 1964 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 31 PID 2376 wrote to memory of 2152 2376 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 32 PID 2376 wrote to memory of 2152 2376 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 32 PID 2376 wrote to memory of 2152 2376 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 32 PID 2376 wrote to memory of 2152 2376 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 32 PID 2152 wrote to memory of 2364 2152 igfxwp32.exe 33 PID 2152 wrote to memory of 2364 2152 igfxwp32.exe 33 PID 2152 wrote to memory of 2364 2152 igfxwp32.exe 33 PID 2152 wrote to memory of 2364 2152 igfxwp32.exe 33 PID 2152 wrote to memory of 2364 2152 igfxwp32.exe 33 PID 2152 wrote to memory of 2364 2152 igfxwp32.exe 33 PID 2152 wrote to memory of 2364 2152 igfxwp32.exe 33 PID 2364 wrote to memory of 2792 2364 igfxwp32.exe 34 PID 2364 wrote to memory of 2792 2364 igfxwp32.exe 34 PID 2364 wrote to memory of 2792 2364 igfxwp32.exe 34 PID 2364 wrote to memory of 2792 2364 igfxwp32.exe 34 PID 2792 wrote to memory of 2660 2792 igfxwp32.exe 35 PID 2792 wrote to memory of 2660 2792 igfxwp32.exe 35 PID 2792 wrote to memory of 2660 2792 igfxwp32.exe 35 PID 2792 wrote to memory of 2660 2792 igfxwp32.exe 35 PID 2792 wrote to memory of 2660 2792 igfxwp32.exe 35 PID 2792 wrote to memory of 2660 2792 igfxwp32.exe 35 PID 2792 wrote to memory of 2660 2792 igfxwp32.exe 35 PID 2660 wrote to memory of 1400 2660 igfxwp32.exe 36 PID 2660 wrote to memory of 1400 2660 igfxwp32.exe 36 PID 2660 wrote to memory of 1400 2660 igfxwp32.exe 36 PID 2660 wrote to memory of 1400 2660 igfxwp32.exe 36 PID 1400 wrote to memory of 1816 1400 igfxwp32.exe 37 PID 1400 wrote to memory of 1816 1400 igfxwp32.exe 37 PID 1400 wrote to memory of 1816 1400 igfxwp32.exe 37 PID 1400 wrote to memory of 1816 1400 igfxwp32.exe 37 PID 1400 wrote to memory of 1816 1400 igfxwp32.exe 37 PID 1400 wrote to memory of 1816 1400 igfxwp32.exe 37 PID 1400 wrote to memory of 1816 1400 igfxwp32.exe 37 PID 1816 wrote to memory of 2024 1816 igfxwp32.exe 38 PID 1816 wrote to memory of 2024 1816 igfxwp32.exe 38 PID 1816 wrote to memory of 2024 1816 igfxwp32.exe 38 PID 1816 wrote to memory of 2024 1816 igfxwp32.exe 38 PID 2024 wrote to memory of 1992 2024 igfxwp32.exe 39 PID 2024 wrote to memory of 1992 2024 igfxwp32.exe 39 PID 2024 wrote to memory of 1992 2024 igfxwp32.exe 39 PID 2024 wrote to memory of 1992 2024 igfxwp32.exe 39 PID 2024 wrote to memory of 1992 2024 igfxwp32.exe 39 PID 2024 wrote to memory of 1992 2024 igfxwp32.exe 39 PID 2024 wrote to memory of 1992 2024 igfxwp32.exe 39 PID 1992 wrote to memory of 2856 1992 igfxwp32.exe 40 PID 1992 wrote to memory of 2856 1992 igfxwp32.exe 40 PID 1992 wrote to memory of 2856 1992 igfxwp32.exe 40 PID 1992 wrote to memory of 2856 1992 igfxwp32.exe 40 PID 2856 wrote to memory of 3068 2856 igfxwp32.exe 41 PID 2856 wrote to memory of 3068 2856 igfxwp32.exe 41 PID 2856 wrote to memory of 3068 2856 igfxwp32.exe 41 PID 2856 wrote to memory of 3068 2856 igfxwp32.exe 41 PID 2856 wrote to memory of 3068 2856 igfxwp32.exe 41 PID 2856 wrote to memory of 3068 2856 igfxwp32.exe 41 PID 2856 wrote to memory of 3068 2856 igfxwp32.exe 41 PID 3068 wrote to memory of 1648 3068 igfxwp32.exe 42 PID 3068 wrote to memory of 1648 3068 igfxwp32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\DAE49C~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\DAE49C~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1648 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:440 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1200 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:628 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:544 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1916 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2940 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2064 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:832 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1736 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1860 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1444 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2656 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe33⤵
- Executes dropped EXE
PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD5dae49c78b1aae3697fc7bbe56c10608e
SHA1adeffe2028d175e81ae049b27ad5b969eaa78a13
SHA2562826bfe269db279cfdd4f29dbc5525ce3b5ce95dd0f50e89a46cc6223e2efdd7
SHA51208ffaaee84601da5c2d8dc080fdeea081b2385c83fcdcf410febac1a68222793b72005ea8ca3a3ca89b635fcae7a82d9469205a551b3306457e730a2946b251c