Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 21:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe
-
Size
195KB
-
MD5
ecdfe6f3b30a3a6884b8ed56784f539a
-
SHA1
30a0417c62844abf2ba1f6831f0e401e233cb43c
-
SHA256
351278495f43eeb2c84f28d969a4f633b17fc07a829f89dd5268a66c210df62c
-
SHA512
0269475247b81149712b28e0bc073879c26985bcef58eb0f225f9a0b5e780d59fda809ac62d748d1b4d6e681f9c0aca9cde0c2e4ac8251e8a1f16353de13dc35
-
SSDEEP
3072:Z2t9v1vvdaN5R5+E66WVKnJ1oDgF18/ZYBvJw5WwfhuBdyxXMezdurY/f3O4CUqw:cvVaNHFxWV217tvbwfsB2XMEMrAjqw
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 3000 igfxwp32.exe -
Executes dropped EXE 31 IoCs
pid Process 584 igfxwp32.exe 3000 igfxwp32.exe 1712 igfxwp32.exe 2636 igfxwp32.exe 1980 igfxwp32.exe 1088 igfxwp32.exe 2844 igfxwp32.exe 2664 igfxwp32.exe 1560 igfxwp32.exe 2972 igfxwp32.exe 2192 igfxwp32.exe 444 igfxwp32.exe 2900 igfxwp32.exe 2468 igfxwp32.exe 2444 igfxwp32.exe 1744 igfxwp32.exe 1480 igfxwp32.exe 1492 igfxwp32.exe 2152 igfxwp32.exe 2696 igfxwp32.exe 584 igfxwp32.exe 2724 igfxwp32.exe 2616 igfxwp32.exe 2920 igfxwp32.exe 1108 igfxwp32.exe 2064 igfxwp32.exe 2952 igfxwp32.exe 1296 igfxwp32.exe 2128 igfxwp32.exe 920 igfxwp32.exe 1288 igfxwp32.exe -
Loads dropped DLL 31 IoCs
pid Process 2412 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 584 igfxwp32.exe 3000 igfxwp32.exe 1712 igfxwp32.exe 2636 igfxwp32.exe 1980 igfxwp32.exe 1088 igfxwp32.exe 2844 igfxwp32.exe 2664 igfxwp32.exe 1560 igfxwp32.exe 2972 igfxwp32.exe 2192 igfxwp32.exe 444 igfxwp32.exe 2900 igfxwp32.exe 2468 igfxwp32.exe 2444 igfxwp32.exe 1744 igfxwp32.exe 1480 igfxwp32.exe 1492 igfxwp32.exe 2152 igfxwp32.exe 2696 igfxwp32.exe 584 igfxwp32.exe 2724 igfxwp32.exe 2616 igfxwp32.exe 2920 igfxwp32.exe 1108 igfxwp32.exe 2064 igfxwp32.exe 2952 igfxwp32.exe 1296 igfxwp32.exe 2128 igfxwp32.exe 920 igfxwp32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwp32.exe ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 1244 set thread context of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 584 set thread context of 3000 584 igfxwp32.exe 33 PID 1712 set thread context of 2636 1712 igfxwp32.exe 35 PID 1980 set thread context of 1088 1980 igfxwp32.exe 37 PID 2844 set thread context of 2664 2844 igfxwp32.exe 39 PID 1560 set thread context of 2972 1560 igfxwp32.exe 41 PID 2192 set thread context of 444 2192 igfxwp32.exe 43 PID 2900 set thread context of 2468 2900 igfxwp32.exe 45 PID 2444 set thread context of 1744 2444 igfxwp32.exe 47 PID 1480 set thread context of 1492 1480 igfxwp32.exe 49 PID 2152 set thread context of 2696 2152 igfxwp32.exe 51 PID 584 set thread context of 2724 584 igfxwp32.exe 53 PID 2616 set thread context of 2920 2616 igfxwp32.exe 55 PID 1108 set thread context of 2064 1108 igfxwp32.exe 57 PID 2952 set thread context of 1296 2952 igfxwp32.exe 59 PID 2128 set thread context of 920 2128 igfxwp32.exe 61 -
resource yara_rule behavioral1/memory/2412-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3000-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3000-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3000-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3000-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3000-37-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2636-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2636-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1088-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1088-72-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2664-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2664-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2664-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2972-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2972-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2972-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2972-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/444-122-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1744-149-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1744-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1492-167-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1492-173-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2696-184-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2696-190-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2724-201-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2724-208-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2920-224-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2064-236-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2064-242-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1296-257-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/920-269-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 2412 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 2412 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 584 igfxwp32.exe 3000 igfxwp32.exe 3000 igfxwp32.exe 1712 igfxwp32.exe 2636 igfxwp32.exe 2636 igfxwp32.exe 1980 igfxwp32.exe 1088 igfxwp32.exe 1088 igfxwp32.exe 2844 igfxwp32.exe 2664 igfxwp32.exe 2664 igfxwp32.exe 1560 igfxwp32.exe 2972 igfxwp32.exe 2972 igfxwp32.exe 2192 igfxwp32.exe 444 igfxwp32.exe 444 igfxwp32.exe 2900 igfxwp32.exe 2468 igfxwp32.exe 2468 igfxwp32.exe 2444 igfxwp32.exe 1744 igfxwp32.exe 1744 igfxwp32.exe 1480 igfxwp32.exe 1492 igfxwp32.exe 1492 igfxwp32.exe 2152 igfxwp32.exe 2696 igfxwp32.exe 2696 igfxwp32.exe 584 igfxwp32.exe 2724 igfxwp32.exe 2724 igfxwp32.exe 2616 igfxwp32.exe 2920 igfxwp32.exe 2920 igfxwp32.exe 1108 igfxwp32.exe 2064 igfxwp32.exe 2064 igfxwp32.exe 2952 igfxwp32.exe 1296 igfxwp32.exe 1296 igfxwp32.exe 2128 igfxwp32.exe 920 igfxwp32.exe 920 igfxwp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 1244 wrote to memory of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 1244 wrote to memory of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 1244 wrote to memory of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 1244 wrote to memory of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 1244 wrote to memory of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 1244 wrote to memory of 2412 1244 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 31 PID 2412 wrote to memory of 584 2412 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 32 PID 2412 wrote to memory of 584 2412 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 32 PID 2412 wrote to memory of 584 2412 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 32 PID 2412 wrote to memory of 584 2412 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 32 PID 584 wrote to memory of 3000 584 igfxwp32.exe 33 PID 584 wrote to memory of 3000 584 igfxwp32.exe 33 PID 584 wrote to memory of 3000 584 igfxwp32.exe 33 PID 584 wrote to memory of 3000 584 igfxwp32.exe 33 PID 584 wrote to memory of 3000 584 igfxwp32.exe 33 PID 584 wrote to memory of 3000 584 igfxwp32.exe 33 PID 584 wrote to memory of 3000 584 igfxwp32.exe 33 PID 3000 wrote to memory of 1712 3000 igfxwp32.exe 34 PID 3000 wrote to memory of 1712 3000 igfxwp32.exe 34 PID 3000 wrote to memory of 1712 3000 igfxwp32.exe 34 PID 3000 wrote to memory of 1712 3000 igfxwp32.exe 34 PID 1712 wrote to memory of 2636 1712 igfxwp32.exe 35 PID 1712 wrote to memory of 2636 1712 igfxwp32.exe 35 PID 1712 wrote to memory of 2636 1712 igfxwp32.exe 35 PID 1712 wrote to memory of 2636 1712 igfxwp32.exe 35 PID 1712 wrote to memory of 2636 1712 igfxwp32.exe 35 PID 1712 wrote to memory of 2636 1712 igfxwp32.exe 35 PID 1712 wrote to memory of 2636 1712 igfxwp32.exe 35 PID 2636 wrote to memory of 1980 2636 igfxwp32.exe 36 PID 2636 wrote to memory of 1980 2636 igfxwp32.exe 36 PID 2636 wrote to memory of 1980 2636 igfxwp32.exe 36 PID 2636 wrote to memory of 1980 2636 igfxwp32.exe 36 PID 1980 wrote to memory of 1088 1980 igfxwp32.exe 37 PID 1980 wrote to memory of 1088 1980 igfxwp32.exe 37 PID 1980 wrote to memory of 1088 1980 igfxwp32.exe 37 PID 1980 wrote to memory of 1088 1980 igfxwp32.exe 37 PID 1980 wrote to memory of 1088 1980 igfxwp32.exe 37 PID 1980 wrote to memory of 1088 1980 igfxwp32.exe 37 PID 1980 wrote to memory of 1088 1980 igfxwp32.exe 37 PID 1088 wrote to memory of 2844 1088 igfxwp32.exe 38 PID 1088 wrote to memory of 2844 1088 igfxwp32.exe 38 PID 1088 wrote to memory of 2844 1088 igfxwp32.exe 38 PID 1088 wrote to memory of 2844 1088 igfxwp32.exe 38 PID 2844 wrote to memory of 2664 2844 igfxwp32.exe 39 PID 2844 wrote to memory of 2664 2844 igfxwp32.exe 39 PID 2844 wrote to memory of 2664 2844 igfxwp32.exe 39 PID 2844 wrote to memory of 2664 2844 igfxwp32.exe 39 PID 2844 wrote to memory of 2664 2844 igfxwp32.exe 39 PID 2844 wrote to memory of 2664 2844 igfxwp32.exe 39 PID 2844 wrote to memory of 2664 2844 igfxwp32.exe 39 PID 2664 wrote to memory of 1560 2664 igfxwp32.exe 40 PID 2664 wrote to memory of 1560 2664 igfxwp32.exe 40 PID 2664 wrote to memory of 1560 2664 igfxwp32.exe 40 PID 2664 wrote to memory of 1560 2664 igfxwp32.exe 40 PID 1560 wrote to memory of 2972 1560 igfxwp32.exe 41 PID 1560 wrote to memory of 2972 1560 igfxwp32.exe 41 PID 1560 wrote to memory of 2972 1560 igfxwp32.exe 41 PID 1560 wrote to memory of 2972 1560 igfxwp32.exe 41 PID 1560 wrote to memory of 2972 1560 igfxwp32.exe 41 PID 1560 wrote to memory of 2972 1560 igfxwp32.exe 41 PID 1560 wrote to memory of 2972 1560 igfxwp32.exe 41 PID 2972 wrote to memory of 2192 2972 igfxwp32.exe 42 PID 2972 wrote to memory of 2192 2972 igfxwp32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\ECDFE6~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\ECDFE6~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:444 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2444 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1744 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2152 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:584 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2920 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1108 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2064 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2952 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:920 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe33⤵
- Executes dropped EXE
PID:1288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD5ecdfe6f3b30a3a6884b8ed56784f539a
SHA130a0417c62844abf2ba1f6831f0e401e233cb43c
SHA256351278495f43eeb2c84f28d969a4f633b17fc07a829f89dd5268a66c210df62c
SHA5120269475247b81149712b28e0bc073879c26985bcef58eb0f225f9a0b5e780d59fda809ac62d748d1b4d6e681f9c0aca9cde0c2e4ac8251e8a1f16353de13dc35