Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 18:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe
-
Size
195KB
-
MD5
dae49c78b1aae3697fc7bbe56c10608e
-
SHA1
adeffe2028d175e81ae049b27ad5b969eaa78a13
-
SHA256
2826bfe269db279cfdd4f29dbc5525ce3b5ce95dd0f50e89a46cc6223e2efdd7
-
SHA512
08ffaaee84601da5c2d8dc080fdeea081b2385c83fcdcf410febac1a68222793b72005ea8ca3a3ca89b635fcae7a82d9469205a551b3306457e730a2946b251c
-
SSDEEP
3072:o2l12n3IaVLO5+JTPXkMHW45fdCBpb5aQvkHy3U6tsZYQfaxYPHte1tgL:mIaVCAFW8lU0QsydeJHl
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwp32.exe -
Deletes itself 1 IoCs
pid Process 4660 igfxwp32.exe -
Executes dropped EXE 29 IoCs
pid Process 2864 igfxwp32.exe 4660 igfxwp32.exe 1964 igfxwp32.exe 3320 igfxwp32.exe 1748 igfxwp32.exe 2204 igfxwp32.exe 4608 igfxwp32.exe 2916 igfxwp32.exe 4784 igfxwp32.exe 4200 igfxwp32.exe 5084 igfxwp32.exe 456 igfxwp32.exe 4144 igfxwp32.exe 1680 igfxwp32.exe 5000 igfxwp32.exe 3084 igfxwp32.exe 2392 igfxwp32.exe 4044 igfxwp32.exe 4064 igfxwp32.exe 2040 igfxwp32.exe 3120 igfxwp32.exe 4348 igfxwp32.exe 4720 igfxwp32.exe 4444 igfxwp32.exe 4740 igfxwp32.exe 5032 igfxwp32.exe 3400 igfxwp32.exe 5068 igfxwp32.exe 4392 igfxwp32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2812 set thread context of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 2864 set thread context of 4660 2864 igfxwp32.exe 93 PID 1964 set thread context of 3320 1964 igfxwp32.exe 99 PID 1748 set thread context of 2204 1748 igfxwp32.exe 104 PID 4608 set thread context of 2916 4608 igfxwp32.exe 106 PID 4784 set thread context of 4200 4784 igfxwp32.exe 108 PID 5084 set thread context of 456 5084 igfxwp32.exe 110 PID 4144 set thread context of 1680 4144 igfxwp32.exe 112 PID 5000 set thread context of 3084 5000 igfxwp32.exe 114 PID 2392 set thread context of 4044 2392 igfxwp32.exe 116 PID 4064 set thread context of 2040 4064 igfxwp32.exe 118 PID 3120 set thread context of 4348 3120 igfxwp32.exe 120 PID 4720 set thread context of 4444 4720 igfxwp32.exe 122 PID 4740 set thread context of 5032 4740 igfxwp32.exe 124 PID 3400 set thread context of 5068 3400 igfxwp32.exe 126 -
resource yara_rule behavioral2/memory/4464-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4464-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4464-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4464-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4464-37-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4660-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4660-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4660-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4660-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3320-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2204-61-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2916-68-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4200-74-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/456-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1680-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3084-101-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4044-106-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2040-115-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4348-121-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4444-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5032-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5068-147-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 4464 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 4464 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 4464 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 4464 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 2864 igfxwp32.exe 2864 igfxwp32.exe 4660 igfxwp32.exe 4660 igfxwp32.exe 4660 igfxwp32.exe 4660 igfxwp32.exe 1964 igfxwp32.exe 1964 igfxwp32.exe 3320 igfxwp32.exe 3320 igfxwp32.exe 3320 igfxwp32.exe 3320 igfxwp32.exe 1748 igfxwp32.exe 1748 igfxwp32.exe 2204 igfxwp32.exe 2204 igfxwp32.exe 2204 igfxwp32.exe 2204 igfxwp32.exe 4608 igfxwp32.exe 4608 igfxwp32.exe 2916 igfxwp32.exe 2916 igfxwp32.exe 2916 igfxwp32.exe 2916 igfxwp32.exe 4784 igfxwp32.exe 4784 igfxwp32.exe 4200 igfxwp32.exe 4200 igfxwp32.exe 4200 igfxwp32.exe 4200 igfxwp32.exe 5084 igfxwp32.exe 5084 igfxwp32.exe 456 igfxwp32.exe 456 igfxwp32.exe 456 igfxwp32.exe 456 igfxwp32.exe 4144 igfxwp32.exe 4144 igfxwp32.exe 1680 igfxwp32.exe 1680 igfxwp32.exe 1680 igfxwp32.exe 1680 igfxwp32.exe 5000 igfxwp32.exe 5000 igfxwp32.exe 3084 igfxwp32.exe 3084 igfxwp32.exe 3084 igfxwp32.exe 3084 igfxwp32.exe 2392 igfxwp32.exe 2392 igfxwp32.exe 4044 igfxwp32.exe 4044 igfxwp32.exe 4044 igfxwp32.exe 4044 igfxwp32.exe 4064 igfxwp32.exe 4064 igfxwp32.exe 2040 igfxwp32.exe 2040 igfxwp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 2812 wrote to memory of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 2812 wrote to memory of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 2812 wrote to memory of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 2812 wrote to memory of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 2812 wrote to memory of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 2812 wrote to memory of 4464 2812 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 84 PID 4464 wrote to memory of 2864 4464 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 85 PID 4464 wrote to memory of 2864 4464 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 85 PID 4464 wrote to memory of 2864 4464 dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe 85 PID 2864 wrote to memory of 4660 2864 igfxwp32.exe 93 PID 2864 wrote to memory of 4660 2864 igfxwp32.exe 93 PID 2864 wrote to memory of 4660 2864 igfxwp32.exe 93 PID 2864 wrote to memory of 4660 2864 igfxwp32.exe 93 PID 2864 wrote to memory of 4660 2864 igfxwp32.exe 93 PID 2864 wrote to memory of 4660 2864 igfxwp32.exe 93 PID 2864 wrote to memory of 4660 2864 igfxwp32.exe 93 PID 4660 wrote to memory of 1964 4660 igfxwp32.exe 98 PID 4660 wrote to memory of 1964 4660 igfxwp32.exe 98 PID 4660 wrote to memory of 1964 4660 igfxwp32.exe 98 PID 1964 wrote to memory of 3320 1964 igfxwp32.exe 99 PID 1964 wrote to memory of 3320 1964 igfxwp32.exe 99 PID 1964 wrote to memory of 3320 1964 igfxwp32.exe 99 PID 1964 wrote to memory of 3320 1964 igfxwp32.exe 99 PID 1964 wrote to memory of 3320 1964 igfxwp32.exe 99 PID 1964 wrote to memory of 3320 1964 igfxwp32.exe 99 PID 1964 wrote to memory of 3320 1964 igfxwp32.exe 99 PID 3320 wrote to memory of 1748 3320 igfxwp32.exe 102 PID 3320 wrote to memory of 1748 3320 igfxwp32.exe 102 PID 3320 wrote to memory of 1748 3320 igfxwp32.exe 102 PID 1748 wrote to memory of 2204 1748 igfxwp32.exe 104 PID 1748 wrote to memory of 2204 1748 igfxwp32.exe 104 PID 1748 wrote to memory of 2204 1748 igfxwp32.exe 104 PID 1748 wrote to memory of 2204 1748 igfxwp32.exe 104 PID 1748 wrote to memory of 2204 1748 igfxwp32.exe 104 PID 1748 wrote to memory of 2204 1748 igfxwp32.exe 104 PID 1748 wrote to memory of 2204 1748 igfxwp32.exe 104 PID 2204 wrote to memory of 4608 2204 igfxwp32.exe 105 PID 2204 wrote to memory of 4608 2204 igfxwp32.exe 105 PID 2204 wrote to memory of 4608 2204 igfxwp32.exe 105 PID 4608 wrote to memory of 2916 4608 igfxwp32.exe 106 PID 4608 wrote to memory of 2916 4608 igfxwp32.exe 106 PID 4608 wrote to memory of 2916 4608 igfxwp32.exe 106 PID 4608 wrote to memory of 2916 4608 igfxwp32.exe 106 PID 4608 wrote to memory of 2916 4608 igfxwp32.exe 106 PID 4608 wrote to memory of 2916 4608 igfxwp32.exe 106 PID 4608 wrote to memory of 2916 4608 igfxwp32.exe 106 PID 2916 wrote to memory of 4784 2916 igfxwp32.exe 107 PID 2916 wrote to memory of 4784 2916 igfxwp32.exe 107 PID 2916 wrote to memory of 4784 2916 igfxwp32.exe 107 PID 4784 wrote to memory of 4200 4784 igfxwp32.exe 108 PID 4784 wrote to memory of 4200 4784 igfxwp32.exe 108 PID 4784 wrote to memory of 4200 4784 igfxwp32.exe 108 PID 4784 wrote to memory of 4200 4784 igfxwp32.exe 108 PID 4784 wrote to memory of 4200 4784 igfxwp32.exe 108 PID 4784 wrote to memory of 4200 4784 igfxwp32.exe 108 PID 4784 wrote to memory of 4200 4784 igfxwp32.exe 108 PID 4200 wrote to memory of 5084 4200 igfxwp32.exe 109 PID 4200 wrote to memory of 5084 4200 igfxwp32.exe 109 PID 4200 wrote to memory of 5084 4200 igfxwp32.exe 109 PID 5084 wrote to memory of 456 5084 igfxwp32.exe 110 PID 5084 wrote to memory of 456 5084 igfxwp32.exe 110 PID 5084 wrote to memory of 456 5084 igfxwp32.exe 110 PID 5084 wrote to memory of 456 5084 igfxwp32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dae49c78b1aae3697fc7bbe56c10608e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\DAE49C~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\DAE49C~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:456 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4144 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5000 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3084 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2392 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4044 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4064 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe31⤵
- Executes dropped EXE
PID:4392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD5dae49c78b1aae3697fc7bbe56c10608e
SHA1adeffe2028d175e81ae049b27ad5b969eaa78a13
SHA2562826bfe269db279cfdd4f29dbc5525ce3b5ce95dd0f50e89a46cc6223e2efdd7
SHA51208ffaaee84601da5c2d8dc080fdeea081b2385c83fcdcf410febac1a68222793b72005ea8ca3a3ca89b635fcae7a82d9469205a551b3306457e730a2946b251c