Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 21:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe
-
Size
195KB
-
MD5
ecdfe6f3b30a3a6884b8ed56784f539a
-
SHA1
30a0417c62844abf2ba1f6831f0e401e233cb43c
-
SHA256
351278495f43eeb2c84f28d969a4f633b17fc07a829f89dd5268a66c210df62c
-
SHA512
0269475247b81149712b28e0bc073879c26985bcef58eb0f225f9a0b5e780d59fda809ac62d748d1b4d6e681f9c0aca9cde0c2e4ac8251e8a1f16353de13dc35
-
SSDEEP
3072:Z2t9v1vvdaN5R5+E66WVKnJ1oDgF18/ZYBvJw5WwfhuBdyxXMezdurY/f3O4CUqw:cvVaNHFxWV217tvbwfsB2XMEMrAjqw
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwp32.exe -
Deletes itself 1 IoCs
pid Process 4244 igfxwp32.exe -
Executes dropped EXE 29 IoCs
pid Process 2232 igfxwp32.exe 4244 igfxwp32.exe 4112 igfxwp32.exe 892 igfxwp32.exe 1964 igfxwp32.exe 532 igfxwp32.exe 4100 igfxwp32.exe 3032 igfxwp32.exe 4568 igfxwp32.exe 4516 igfxwp32.exe 1748 igfxwp32.exe 1268 igfxwp32.exe 3088 igfxwp32.exe 3204 igfxwp32.exe 1076 igfxwp32.exe 3548 igfxwp32.exe 5064 igfxwp32.exe 3716 igfxwp32.exe 3912 igfxwp32.exe 3136 igfxwp32.exe 4712 igfxwp32.exe 4940 igfxwp32.exe 2616 igfxwp32.exe 2324 igfxwp32.exe 3388 igfxwp32.exe 1704 igfxwp32.exe 2632 igfxwp32.exe 1260 igfxwp32.exe 3112 igfxwp32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2480 set thread context of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 2232 set thread context of 4244 2232 igfxwp32.exe 94 PID 4112 set thread context of 892 4112 igfxwp32.exe 100 PID 1964 set thread context of 532 1964 igfxwp32.exe 105 PID 4100 set thread context of 3032 4100 igfxwp32.exe 107 PID 4568 set thread context of 4516 4568 igfxwp32.exe 109 PID 1748 set thread context of 1268 1748 igfxwp32.exe 112 PID 3088 set thread context of 3204 3088 igfxwp32.exe 114 PID 1076 set thread context of 3548 1076 igfxwp32.exe 116 PID 5064 set thread context of 3716 5064 igfxwp32.exe 118 PID 3912 set thread context of 3136 3912 igfxwp32.exe 120 PID 4712 set thread context of 4940 4712 igfxwp32.exe 122 PID 2616 set thread context of 2324 2616 igfxwp32.exe 124 PID 3388 set thread context of 1704 3388 igfxwp32.exe 126 PID 2632 set thread context of 1260 2632 igfxwp32.exe 128 -
resource yara_rule behavioral2/memory/4488-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4488-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4488-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4488-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4488-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4244-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4244-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4244-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4244-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/892-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/532-61-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3032-68-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4516-74-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1268-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3204-90-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3548-97-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3716-104-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3136-111-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4940-118-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2324-127-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1704-135-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1260-142-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 4488 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 4488 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 4488 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 4488 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 2232 igfxwp32.exe 2232 igfxwp32.exe 4244 igfxwp32.exe 4244 igfxwp32.exe 4244 igfxwp32.exe 4244 igfxwp32.exe 4112 igfxwp32.exe 4112 igfxwp32.exe 892 igfxwp32.exe 892 igfxwp32.exe 892 igfxwp32.exe 892 igfxwp32.exe 1964 igfxwp32.exe 1964 igfxwp32.exe 532 igfxwp32.exe 532 igfxwp32.exe 532 igfxwp32.exe 532 igfxwp32.exe 4100 igfxwp32.exe 4100 igfxwp32.exe 3032 igfxwp32.exe 3032 igfxwp32.exe 3032 igfxwp32.exe 3032 igfxwp32.exe 4568 igfxwp32.exe 4568 igfxwp32.exe 4516 igfxwp32.exe 4516 igfxwp32.exe 4516 igfxwp32.exe 4516 igfxwp32.exe 1748 igfxwp32.exe 1748 igfxwp32.exe 1268 igfxwp32.exe 1268 igfxwp32.exe 1268 igfxwp32.exe 1268 igfxwp32.exe 3088 igfxwp32.exe 3088 igfxwp32.exe 3204 igfxwp32.exe 3204 igfxwp32.exe 3204 igfxwp32.exe 3204 igfxwp32.exe 1076 igfxwp32.exe 1076 igfxwp32.exe 3548 igfxwp32.exe 3548 igfxwp32.exe 3548 igfxwp32.exe 3548 igfxwp32.exe 5064 igfxwp32.exe 5064 igfxwp32.exe 3716 igfxwp32.exe 3716 igfxwp32.exe 3716 igfxwp32.exe 3716 igfxwp32.exe 3912 igfxwp32.exe 3912 igfxwp32.exe 3136 igfxwp32.exe 3136 igfxwp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 2480 wrote to memory of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 2480 wrote to memory of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 2480 wrote to memory of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 2480 wrote to memory of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 2480 wrote to memory of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 2480 wrote to memory of 4488 2480 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 84 PID 4488 wrote to memory of 2232 4488 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 85 PID 4488 wrote to memory of 2232 4488 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 85 PID 4488 wrote to memory of 2232 4488 ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe 85 PID 2232 wrote to memory of 4244 2232 igfxwp32.exe 94 PID 2232 wrote to memory of 4244 2232 igfxwp32.exe 94 PID 2232 wrote to memory of 4244 2232 igfxwp32.exe 94 PID 2232 wrote to memory of 4244 2232 igfxwp32.exe 94 PID 2232 wrote to memory of 4244 2232 igfxwp32.exe 94 PID 2232 wrote to memory of 4244 2232 igfxwp32.exe 94 PID 2232 wrote to memory of 4244 2232 igfxwp32.exe 94 PID 4244 wrote to memory of 4112 4244 igfxwp32.exe 99 PID 4244 wrote to memory of 4112 4244 igfxwp32.exe 99 PID 4244 wrote to memory of 4112 4244 igfxwp32.exe 99 PID 4112 wrote to memory of 892 4112 igfxwp32.exe 100 PID 4112 wrote to memory of 892 4112 igfxwp32.exe 100 PID 4112 wrote to memory of 892 4112 igfxwp32.exe 100 PID 4112 wrote to memory of 892 4112 igfxwp32.exe 100 PID 4112 wrote to memory of 892 4112 igfxwp32.exe 100 PID 4112 wrote to memory of 892 4112 igfxwp32.exe 100 PID 4112 wrote to memory of 892 4112 igfxwp32.exe 100 PID 892 wrote to memory of 1964 892 igfxwp32.exe 103 PID 892 wrote to memory of 1964 892 igfxwp32.exe 103 PID 892 wrote to memory of 1964 892 igfxwp32.exe 103 PID 1964 wrote to memory of 532 1964 igfxwp32.exe 105 PID 1964 wrote to memory of 532 1964 igfxwp32.exe 105 PID 1964 wrote to memory of 532 1964 igfxwp32.exe 105 PID 1964 wrote to memory of 532 1964 igfxwp32.exe 105 PID 1964 wrote to memory of 532 1964 igfxwp32.exe 105 PID 1964 wrote to memory of 532 1964 igfxwp32.exe 105 PID 1964 wrote to memory of 532 1964 igfxwp32.exe 105 PID 532 wrote to memory of 4100 532 igfxwp32.exe 106 PID 532 wrote to memory of 4100 532 igfxwp32.exe 106 PID 532 wrote to memory of 4100 532 igfxwp32.exe 106 PID 4100 wrote to memory of 3032 4100 igfxwp32.exe 107 PID 4100 wrote to memory of 3032 4100 igfxwp32.exe 107 PID 4100 wrote to memory of 3032 4100 igfxwp32.exe 107 PID 4100 wrote to memory of 3032 4100 igfxwp32.exe 107 PID 4100 wrote to memory of 3032 4100 igfxwp32.exe 107 PID 4100 wrote to memory of 3032 4100 igfxwp32.exe 107 PID 4100 wrote to memory of 3032 4100 igfxwp32.exe 107 PID 3032 wrote to memory of 4568 3032 igfxwp32.exe 108 PID 3032 wrote to memory of 4568 3032 igfxwp32.exe 108 PID 3032 wrote to memory of 4568 3032 igfxwp32.exe 108 PID 4568 wrote to memory of 4516 4568 igfxwp32.exe 109 PID 4568 wrote to memory of 4516 4568 igfxwp32.exe 109 PID 4568 wrote to memory of 4516 4568 igfxwp32.exe 109 PID 4568 wrote to memory of 4516 4568 igfxwp32.exe 109 PID 4568 wrote to memory of 4516 4568 igfxwp32.exe 109 PID 4568 wrote to memory of 4516 4568 igfxwp32.exe 109 PID 4568 wrote to memory of 4516 4568 igfxwp32.exe 109 PID 4516 wrote to memory of 1748 4516 igfxwp32.exe 110 PID 4516 wrote to memory of 1748 4516 igfxwp32.exe 110 PID 4516 wrote to memory of 1748 4516 igfxwp32.exe 110 PID 1748 wrote to memory of 1268 1748 igfxwp32.exe 112 PID 1748 wrote to memory of 1268 1748 igfxwp32.exe 112 PID 1748 wrote to memory of 1268 1748 igfxwp32.exe 112 PID 1748 wrote to memory of 1268 1748 igfxwp32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecdfe6f3b30a3a6884b8ed56784f539a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\ECDFE6~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\ECDFE6~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1268 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3088 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3204 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1076 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3548 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5064 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3716 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3912 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3136 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe31⤵
- Executes dropped EXE
PID:3112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD5ecdfe6f3b30a3a6884b8ed56784f539a
SHA130a0417c62844abf2ba1f6831f0e401e233cb43c
SHA256351278495f43eeb2c84f28d969a4f633b17fc07a829f89dd5268a66c210df62c
SHA5120269475247b81149712b28e0bc073879c26985bcef58eb0f225f9a0b5e780d59fda809ac62d748d1b4d6e681f9c0aca9cde0c2e4ac8251e8a1f16353de13dc35