Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 19:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe
Resource
win7-20241023-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe
-
Size
174KB
-
MD5
db2ba6dc7a5e79e207d16345629c5e74
-
SHA1
aea33d0bc3a390d588fb08b76507210a87e0baf6
-
SHA256
e52e5dc7705774b3ac9d740616f93a05602b3c8c59c9aadb9250ed8b21265204
-
SHA512
79ddb9bfc1977751ee5731f397d95e3c719530b2288df2c13463f9af2da7c3a586d017a7e69beaee8fb8eced9a7b1fad9ce1e2c6494b6fbeaa7ee6c6ef655994
-
SSDEEP
3072:E6obs2IlIG5EgFnJ97o06HN/Hg7ceAHKQ49+duTrXz1+gCbiL417CMmAouV:cSlMgFJ+06NAI1HKN9+MTrD1+gjHaJV
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2844 igfxwd32.exe -
Executes dropped EXE 31 IoCs
pid Process 1372 igfxwd32.exe 2844 igfxwd32.exe 2864 igfxwd32.exe 2968 igfxwd32.exe 2488 igfxwd32.exe 1952 igfxwd32.exe 2144 igfxwd32.exe 2036 igfxwd32.exe 1956 igfxwd32.exe 2748 igfxwd32.exe 2924 igfxwd32.exe 1140 igfxwd32.exe 2928 igfxwd32.exe 920 igfxwd32.exe 2444 igfxwd32.exe 1936 igfxwd32.exe 1760 igfxwd32.exe 1568 igfxwd32.exe 2544 igfxwd32.exe 2020 igfxwd32.exe 2816 igfxwd32.exe 3012 igfxwd32.exe 2692 igfxwd32.exe 1728 igfxwd32.exe 2588 igfxwd32.exe 2044 igfxwd32.exe 1696 igfxwd32.exe 828 igfxwd32.exe 2336 igfxwd32.exe 316 igfxwd32.exe 2432 igfxwd32.exe -
Loads dropped DLL 31 IoCs
pid Process 2420 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 1372 igfxwd32.exe 2844 igfxwd32.exe 2864 igfxwd32.exe 2968 igfxwd32.exe 2488 igfxwd32.exe 1952 igfxwd32.exe 2144 igfxwd32.exe 2036 igfxwd32.exe 1956 igfxwd32.exe 2748 igfxwd32.exe 2924 igfxwd32.exe 1140 igfxwd32.exe 2928 igfxwd32.exe 920 igfxwd32.exe 2444 igfxwd32.exe 1936 igfxwd32.exe 1760 igfxwd32.exe 1568 igfxwd32.exe 2544 igfxwd32.exe 2020 igfxwd32.exe 2816 igfxwd32.exe 3012 igfxwd32.exe 2692 igfxwd32.exe 1728 igfxwd32.exe 2588 igfxwd32.exe 2044 igfxwd32.exe 1696 igfxwd32.exe 828 igfxwd32.exe 2336 igfxwd32.exe 316 igfxwd32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2628 set thread context of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 1372 set thread context of 2844 1372 igfxwd32.exe 33 PID 2864 set thread context of 2968 2864 igfxwd32.exe 35 PID 2488 set thread context of 1952 2488 igfxwd32.exe 37 PID 2144 set thread context of 2036 2144 igfxwd32.exe 39 PID 1956 set thread context of 2748 1956 igfxwd32.exe 41 PID 2924 set thread context of 1140 2924 igfxwd32.exe 43 PID 2928 set thread context of 920 2928 igfxwd32.exe 45 PID 2444 set thread context of 1936 2444 igfxwd32.exe 47 PID 1760 set thread context of 1568 1760 igfxwd32.exe 49 PID 2544 set thread context of 2020 2544 igfxwd32.exe 51 PID 2816 set thread context of 3012 2816 igfxwd32.exe 53 PID 2692 set thread context of 1728 2692 igfxwd32.exe 55 PID 2588 set thread context of 2044 2588 igfxwd32.exe 57 PID 1696 set thread context of 828 1696 igfxwd32.exe 59 PID 2336 set thread context of 316 2336 igfxwd32.exe 61 -
resource yara_rule behavioral1/memory/2420-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2420-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2420-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2420-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2420-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2420-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2420-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2844-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2844-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2844-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2844-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2844-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2968-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1952-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1952-72-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2036-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2036-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2748-101-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2748-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2748-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2748-107-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1140-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1140-124-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/920-134-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/920-142-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1936-153-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1936-159-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1568-176-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2020-191-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3012-203-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3012-209-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1728-221-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1728-227-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2044-237-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2044-243-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/828-255-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/828-259-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/316-268-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/316-272-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwd32.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2420 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 2420 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 2844 igfxwd32.exe 2844 igfxwd32.exe 2968 igfxwd32.exe 2968 igfxwd32.exe 1952 igfxwd32.exe 1952 igfxwd32.exe 2036 igfxwd32.exe 2036 igfxwd32.exe 2748 igfxwd32.exe 2748 igfxwd32.exe 1140 igfxwd32.exe 1140 igfxwd32.exe 920 igfxwd32.exe 920 igfxwd32.exe 1936 igfxwd32.exe 1936 igfxwd32.exe 1568 igfxwd32.exe 1568 igfxwd32.exe 2020 igfxwd32.exe 2020 igfxwd32.exe 3012 igfxwd32.exe 3012 igfxwd32.exe 1728 igfxwd32.exe 1728 igfxwd32.exe 2044 igfxwd32.exe 2044 igfxwd32.exe 828 igfxwd32.exe 828 igfxwd32.exe 316 igfxwd32.exe 316 igfxwd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2420 2628 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 31 PID 2420 wrote to memory of 1372 2420 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 32 PID 2420 wrote to memory of 1372 2420 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 32 PID 2420 wrote to memory of 1372 2420 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 32 PID 2420 wrote to memory of 1372 2420 db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe 32 PID 1372 wrote to memory of 2844 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2844 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2844 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2844 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2844 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2844 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2844 1372 igfxwd32.exe 33 PID 2844 wrote to memory of 2864 2844 igfxwd32.exe 34 PID 2844 wrote to memory of 2864 2844 igfxwd32.exe 34 PID 2844 wrote to memory of 2864 2844 igfxwd32.exe 34 PID 2844 wrote to memory of 2864 2844 igfxwd32.exe 34 PID 2864 wrote to memory of 2968 2864 igfxwd32.exe 35 PID 2864 wrote to memory of 2968 2864 igfxwd32.exe 35 PID 2864 wrote to memory of 2968 2864 igfxwd32.exe 35 PID 2864 wrote to memory of 2968 2864 igfxwd32.exe 35 PID 2864 wrote to memory of 2968 2864 igfxwd32.exe 35 PID 2864 wrote to memory of 2968 2864 igfxwd32.exe 35 PID 2864 wrote to memory of 2968 2864 igfxwd32.exe 35 PID 2968 wrote to memory of 2488 2968 igfxwd32.exe 36 PID 2968 wrote to memory of 2488 2968 igfxwd32.exe 36 PID 2968 wrote to memory of 2488 2968 igfxwd32.exe 36 PID 2968 wrote to memory of 2488 2968 igfxwd32.exe 36 PID 2488 wrote to memory of 1952 2488 igfxwd32.exe 37 PID 2488 wrote to memory of 1952 2488 igfxwd32.exe 37 PID 2488 wrote to memory of 1952 2488 igfxwd32.exe 37 PID 2488 wrote to memory of 1952 2488 igfxwd32.exe 37 PID 2488 wrote to memory of 1952 2488 igfxwd32.exe 37 PID 2488 wrote to memory of 1952 2488 igfxwd32.exe 37 PID 2488 wrote to memory of 1952 2488 igfxwd32.exe 37 PID 1952 wrote to memory of 2144 1952 igfxwd32.exe 38 PID 1952 wrote to memory of 2144 1952 igfxwd32.exe 38 PID 1952 wrote to memory of 2144 1952 igfxwd32.exe 38 PID 1952 wrote to memory of 2144 1952 igfxwd32.exe 38 PID 2144 wrote to memory of 2036 2144 igfxwd32.exe 39 PID 2144 wrote to memory of 2036 2144 igfxwd32.exe 39 PID 2144 wrote to memory of 2036 2144 igfxwd32.exe 39 PID 2144 wrote to memory of 2036 2144 igfxwd32.exe 39 PID 2144 wrote to memory of 2036 2144 igfxwd32.exe 39 PID 2144 wrote to memory of 2036 2144 igfxwd32.exe 39 PID 2144 wrote to memory of 2036 2144 igfxwd32.exe 39 PID 2036 wrote to memory of 1956 2036 igfxwd32.exe 40 PID 2036 wrote to memory of 1956 2036 igfxwd32.exe 40 PID 2036 wrote to memory of 1956 2036 igfxwd32.exe 40 PID 2036 wrote to memory of 1956 2036 igfxwd32.exe 40 PID 1956 wrote to memory of 2748 1956 igfxwd32.exe 41 PID 1956 wrote to memory of 2748 1956 igfxwd32.exe 41 PID 1956 wrote to memory of 2748 1956 igfxwd32.exe 41 PID 1956 wrote to memory of 2748 1956 igfxwd32.exe 41 PID 1956 wrote to memory of 2748 1956 igfxwd32.exe 41 PID 1956 wrote to memory of 2748 1956 igfxwd32.exe 41 PID 1956 wrote to memory of 2748 1956 igfxwd32.exe 41 PID 2748 wrote to memory of 2924 2748 igfxwd32.exe 42 PID 2748 wrote to memory of 2924 2748 igfxwd32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db2ba6dc7a5e79e207d16345629c5e74_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\DB2BA6~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\DB2BA6~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1140 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:920 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1936 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1568 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1728 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:828 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:316 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe33⤵
- Executes dropped EXE
PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5db2ba6dc7a5e79e207d16345629c5e74
SHA1aea33d0bc3a390d588fb08b76507210a87e0baf6
SHA256e52e5dc7705774b3ac9d740616f93a05602b3c8c59c9aadb9250ed8b21265204
SHA51279ddb9bfc1977751ee5731f397d95e3c719530b2288df2c13463f9af2da7c3a586d017a7e69beaee8fb8eced9a7b1fad9ce1e2c6494b6fbeaa7ee6c6ef655994