Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 13:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe
-
Size
170KB
-
MD5
ebadece19ecc0ea8b3f4c557d97d7254
-
SHA1
827976fc813c01efab0930f6639830252074f397
-
SHA256
8e3d5db4824582dd14fa93869a4aa1e6c6b5cc435f909fad696c3a74cba33e0a
-
SHA512
022995c9f6d87bf30408f7ab92937e147a5b73f91e745c6121bbf29d72efd1e763bbef0127b7aebb98f58070e19f274ed159960e2cbc0ebb79e2deb17f4ebcd6
-
SSDEEP
3072:fXdQ0y3PSVzffK5p8uRL9zk03F8XsujapHJjy+Ycx7VK+iaEfhoV+rc7JCUU:fWSVzfsl9NVFujudLdw+dEJokC0UU
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 1064 igfxwk32.exe -
Executes dropped EXE 28 IoCs
pid Process 4424 igfxwk32.exe 1064 igfxwk32.exe 4936 igfxwk32.exe 5036 igfxwk32.exe 4160 igfxwk32.exe 1388 igfxwk32.exe 4388 igfxwk32.exe 3612 igfxwk32.exe 1508 igfxwk32.exe 1864 igfxwk32.exe 2300 igfxwk32.exe 4520 igfxwk32.exe 3588 igfxwk32.exe 3412 igfxwk32.exe 4816 igfxwk32.exe 1324 igfxwk32.exe 4760 igfxwk32.exe 1088 igfxwk32.exe 808 igfxwk32.exe 2480 igfxwk32.exe 3656 igfxwk32.exe 4708 igfxwk32.exe 3040 igfxwk32.exe 2412 igfxwk32.exe 2760 igfxwk32.exe 4224 igfxwk32.exe 5008 igfxwk32.exe 2784 igfxwk32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 792 set thread context of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 4424 set thread context of 1064 4424 igfxwk32.exe 91 PID 4936 set thread context of 5036 4936 igfxwk32.exe 93 PID 4160 set thread context of 1388 4160 igfxwk32.exe 97 PID 4388 set thread context of 3612 4388 igfxwk32.exe 99 PID 1508 set thread context of 1864 1508 igfxwk32.exe 101 PID 2300 set thread context of 4520 2300 igfxwk32.exe 103 PID 3588 set thread context of 3412 3588 igfxwk32.exe 105 PID 4816 set thread context of 1324 4816 igfxwk32.exe 107 PID 4760 set thread context of 1088 4760 igfxwk32.exe 109 PID 808 set thread context of 2480 808 igfxwk32.exe 111 PID 3656 set thread context of 4708 3656 igfxwk32.exe 113 PID 3040 set thread context of 2412 3040 igfxwk32.exe 115 PID 2760 set thread context of 4224 2760 igfxwk32.exe 117 PID 5008 set thread context of 2784 5008 igfxwk32.exe 119 -
resource yara_rule behavioral2/memory/2604-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2604-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2604-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2604-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2604-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5036-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1388-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3612-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1864-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4520-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3412-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1324-96-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1088-103-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2480-111-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4708-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2412-128-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4224-136-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2604 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 2604 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 2604 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 2604 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 1064 igfxwk32.exe 1064 igfxwk32.exe 1064 igfxwk32.exe 1064 igfxwk32.exe 5036 igfxwk32.exe 5036 igfxwk32.exe 5036 igfxwk32.exe 5036 igfxwk32.exe 1388 igfxwk32.exe 1388 igfxwk32.exe 1388 igfxwk32.exe 1388 igfxwk32.exe 3612 igfxwk32.exe 3612 igfxwk32.exe 3612 igfxwk32.exe 3612 igfxwk32.exe 1864 igfxwk32.exe 1864 igfxwk32.exe 1864 igfxwk32.exe 1864 igfxwk32.exe 4520 igfxwk32.exe 4520 igfxwk32.exe 4520 igfxwk32.exe 4520 igfxwk32.exe 3412 igfxwk32.exe 3412 igfxwk32.exe 3412 igfxwk32.exe 3412 igfxwk32.exe 1088 igfxwk32.exe 1088 igfxwk32.exe 1088 igfxwk32.exe 1088 igfxwk32.exe 2480 igfxwk32.exe 2480 igfxwk32.exe 2480 igfxwk32.exe 2480 igfxwk32.exe 4708 igfxwk32.exe 4708 igfxwk32.exe 4708 igfxwk32.exe 4708 igfxwk32.exe 2412 igfxwk32.exe 2412 igfxwk32.exe 2412 igfxwk32.exe 2412 igfxwk32.exe 4224 igfxwk32.exe 4224 igfxwk32.exe 4224 igfxwk32.exe 4224 igfxwk32.exe 2784 igfxwk32.exe 2784 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 792 wrote to memory of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 792 wrote to memory of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 792 wrote to memory of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 792 wrote to memory of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 792 wrote to memory of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 792 wrote to memory of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 792 wrote to memory of 2604 792 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 86 PID 2604 wrote to memory of 4424 2604 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 88 PID 2604 wrote to memory of 4424 2604 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 88 PID 2604 wrote to memory of 4424 2604 ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe 88 PID 4424 wrote to memory of 1064 4424 igfxwk32.exe 91 PID 4424 wrote to memory of 1064 4424 igfxwk32.exe 91 PID 4424 wrote to memory of 1064 4424 igfxwk32.exe 91 PID 4424 wrote to memory of 1064 4424 igfxwk32.exe 91 PID 4424 wrote to memory of 1064 4424 igfxwk32.exe 91 PID 4424 wrote to memory of 1064 4424 igfxwk32.exe 91 PID 4424 wrote to memory of 1064 4424 igfxwk32.exe 91 PID 1064 wrote to memory of 4936 1064 igfxwk32.exe 92 PID 1064 wrote to memory of 4936 1064 igfxwk32.exe 92 PID 1064 wrote to memory of 4936 1064 igfxwk32.exe 92 PID 4936 wrote to memory of 5036 4936 igfxwk32.exe 93 PID 4936 wrote to memory of 5036 4936 igfxwk32.exe 93 PID 4936 wrote to memory of 5036 4936 igfxwk32.exe 93 PID 4936 wrote to memory of 5036 4936 igfxwk32.exe 93 PID 4936 wrote to memory of 5036 4936 igfxwk32.exe 93 PID 4936 wrote to memory of 5036 4936 igfxwk32.exe 93 PID 4936 wrote to memory of 5036 4936 igfxwk32.exe 93 PID 5036 wrote to memory of 4160 5036 igfxwk32.exe 95 PID 5036 wrote to memory of 4160 5036 igfxwk32.exe 95 PID 5036 wrote to memory of 4160 5036 igfxwk32.exe 95 PID 4160 wrote to memory of 1388 4160 igfxwk32.exe 97 PID 4160 wrote to memory of 1388 4160 igfxwk32.exe 97 PID 4160 wrote to memory of 1388 4160 igfxwk32.exe 97 PID 4160 wrote to memory of 1388 4160 igfxwk32.exe 97 PID 4160 wrote to memory of 1388 4160 igfxwk32.exe 97 PID 4160 wrote to memory of 1388 4160 igfxwk32.exe 97 PID 4160 wrote to memory of 1388 4160 igfxwk32.exe 97 PID 1388 wrote to memory of 4388 1388 igfxwk32.exe 98 PID 1388 wrote to memory of 4388 1388 igfxwk32.exe 98 PID 1388 wrote to memory of 4388 1388 igfxwk32.exe 98 PID 4388 wrote to memory of 3612 4388 igfxwk32.exe 99 PID 4388 wrote to memory of 3612 4388 igfxwk32.exe 99 PID 4388 wrote to memory of 3612 4388 igfxwk32.exe 99 PID 4388 wrote to memory of 3612 4388 igfxwk32.exe 99 PID 4388 wrote to memory of 3612 4388 igfxwk32.exe 99 PID 4388 wrote to memory of 3612 4388 igfxwk32.exe 99 PID 4388 wrote to memory of 3612 4388 igfxwk32.exe 99 PID 3612 wrote to memory of 1508 3612 igfxwk32.exe 100 PID 3612 wrote to memory of 1508 3612 igfxwk32.exe 100 PID 3612 wrote to memory of 1508 3612 igfxwk32.exe 100 PID 1508 wrote to memory of 1864 1508 igfxwk32.exe 101 PID 1508 wrote to memory of 1864 1508 igfxwk32.exe 101 PID 1508 wrote to memory of 1864 1508 igfxwk32.exe 101 PID 1508 wrote to memory of 1864 1508 igfxwk32.exe 101 PID 1508 wrote to memory of 1864 1508 igfxwk32.exe 101 PID 1508 wrote to memory of 1864 1508 igfxwk32.exe 101 PID 1508 wrote to memory of 1864 1508 igfxwk32.exe 101 PID 1864 wrote to memory of 2300 1864 igfxwk32.exe 102 PID 1864 wrote to memory of 2300 1864 igfxwk32.exe 102 PID 1864 wrote to memory of 2300 1864 igfxwk32.exe 102 PID 2300 wrote to memory of 4520 2300 igfxwk32.exe 103 PID 2300 wrote to memory of 4520 2300 igfxwk32.exe 103 PID 2300 wrote to memory of 4520 2300 igfxwk32.exe 103 PID 2300 wrote to memory of 4520 2300 igfxwk32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebadece19ecc0ea8b3f4c557d97d7254_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\EBADEC~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\EBADEC~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4520 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3412 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1088 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2480 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3656 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4708 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2412 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4224 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5ebadece19ecc0ea8b3f4c557d97d7254
SHA1827976fc813c01efab0930f6639830252074f397
SHA2568e3d5db4824582dd14fa93869a4aa1e6c6b5cc435f909fad696c3a74cba33e0a
SHA512022995c9f6d87bf30408f7ab92937e147a5b73f91e745c6121bbf29d72efd1e763bbef0127b7aebb98f58070e19f274ed159960e2cbc0ebb79e2deb17f4ebcd6