Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 18:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe
-
Size
171KB
-
MD5
ecb5ea358c7ddbbc75cab797619d0361
-
SHA1
8746bbd3160e693526b7062b865c258ee403a7c7
-
SHA256
76bc749e3c7bc69c5f12cc7763a0cbbf9260bf037e1c31d37b2a615341d46c12
-
SHA512
fda865648fdc47d4e9bb650fddf6a7879522f1d9b249a290afbd9b97b5195eb6b2e2d592a2dad2740b6b2fe64a7ed816ee74941e50956c4c8e352bd716b29ffb
-
SSDEEP
3072:KG+OnwL1pgJ8dhApBSLdqZ7CpvPk2mxNQn/womo:ZE1ZhAjVZ7Mvs2YTo
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2596 igfxwl32.exe -
Executes dropped EXE 33 IoCs
pid Process 2696 igfxwl32.exe 2596 igfxwl32.exe 2220 igfxwl32.exe 1968 igfxwl32.exe 884 igfxwl32.exe 1548 igfxwl32.exe 1852 igfxwl32.exe 1292 igfxwl32.exe 2368 igfxwl32.exe 2108 igfxwl32.exe 2352 igfxwl32.exe 2188 igfxwl32.exe 1244 igfxwl32.exe 2208 igfxwl32.exe 2320 igfxwl32.exe 2056 igfxwl32.exe 892 igfxwl32.exe 3056 igfxwl32.exe 2732 igfxwl32.exe 2804 igfxwl32.exe 2784 igfxwl32.exe 2672 igfxwl32.exe 2220 igfxwl32.exe 2728 igfxwl32.exe 1736 igfxwl32.exe 2292 igfxwl32.exe 2284 igfxwl32.exe 476 igfxwl32.exe 2932 igfxwl32.exe 2356 igfxwl32.exe 2312 igfxwl32.exe 1656 igfxwl32.exe 2520 igfxwl32.exe -
Loads dropped DLL 33 IoCs
pid Process 2396 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 2696 igfxwl32.exe 2596 igfxwl32.exe 2220 igfxwl32.exe 1968 igfxwl32.exe 884 igfxwl32.exe 1548 igfxwl32.exe 1852 igfxwl32.exe 1292 igfxwl32.exe 2368 igfxwl32.exe 2108 igfxwl32.exe 2352 igfxwl32.exe 2188 igfxwl32.exe 1244 igfxwl32.exe 2208 igfxwl32.exe 2320 igfxwl32.exe 2056 igfxwl32.exe 892 igfxwl32.exe 3056 igfxwl32.exe 2732 igfxwl32.exe 2804 igfxwl32.exe 2784 igfxwl32.exe 2672 igfxwl32.exe 2220 igfxwl32.exe 2728 igfxwl32.exe 1736 igfxwl32.exe 2292 igfxwl32.exe 2284 igfxwl32.exe 476 igfxwl32.exe 2932 igfxwl32.exe 2356 igfxwl32.exe 2312 igfxwl32.exe 1656 igfxwl32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2828 set thread context of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2696 set thread context of 2596 2696 igfxwl32.exe 32 PID 2220 set thread context of 1968 2220 igfxwl32.exe 34 PID 884 set thread context of 1548 884 igfxwl32.exe 36 PID 1852 set thread context of 1292 1852 igfxwl32.exe 38 PID 2368 set thread context of 2108 2368 igfxwl32.exe 40 PID 2352 set thread context of 2188 2352 igfxwl32.exe 42 PID 1244 set thread context of 2208 1244 igfxwl32.exe 44 PID 2320 set thread context of 2056 2320 igfxwl32.exe 47 PID 892 set thread context of 3056 892 igfxwl32.exe 49 PID 2732 set thread context of 2804 2732 igfxwl32.exe 51 PID 2784 set thread context of 2672 2784 igfxwl32.exe 53 PID 2220 set thread context of 2728 2220 igfxwl32.exe 55 PID 1736 set thread context of 2292 1736 igfxwl32.exe 57 PID 2284 set thread context of 476 2284 igfxwl32.exe 59 PID 2932 set thread context of 2356 2932 igfxwl32.exe 61 PID 2312 set thread context of 1656 2312 igfxwl32.exe 63 -
resource yara_rule behavioral1/memory/2396-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2396-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2396-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2396-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2396-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2396-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2396-18-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2596-28-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2596-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2596-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2596-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1968-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1968-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1968-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1968-51-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1548-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1548-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1292-80-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1292-86-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2108-97-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2108-103-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2188-114-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2188-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2208-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2208-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2056-147-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2056-154-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3056-165-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3056-172-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2804-182-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2804-189-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2672-199-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2672-207-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2728-218-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2728-224-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2292-235-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2292-241-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/476-253-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2356-265-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1656-277-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2396 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 2396 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 2596 igfxwl32.exe 2596 igfxwl32.exe 1968 igfxwl32.exe 1968 igfxwl32.exe 1548 igfxwl32.exe 1548 igfxwl32.exe 1292 igfxwl32.exe 1292 igfxwl32.exe 2108 igfxwl32.exe 2108 igfxwl32.exe 2188 igfxwl32.exe 2188 igfxwl32.exe 2208 igfxwl32.exe 2208 igfxwl32.exe 2056 igfxwl32.exe 2056 igfxwl32.exe 3056 igfxwl32.exe 3056 igfxwl32.exe 2804 igfxwl32.exe 2804 igfxwl32.exe 2672 igfxwl32.exe 2672 igfxwl32.exe 2728 igfxwl32.exe 2728 igfxwl32.exe 2292 igfxwl32.exe 2292 igfxwl32.exe 476 igfxwl32.exe 476 igfxwl32.exe 2356 igfxwl32.exe 2356 igfxwl32.exe 1656 igfxwl32.exe 1656 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2828 wrote to memory of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2828 wrote to memory of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2828 wrote to memory of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2828 wrote to memory of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2828 wrote to memory of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2828 wrote to memory of 2396 2828 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 30 PID 2396 wrote to memory of 2696 2396 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2696 2396 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2696 2396 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2696 2396 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2596 2696 igfxwl32.exe 32 PID 2696 wrote to memory of 2596 2696 igfxwl32.exe 32 PID 2696 wrote to memory of 2596 2696 igfxwl32.exe 32 PID 2696 wrote to memory of 2596 2696 igfxwl32.exe 32 PID 2696 wrote to memory of 2596 2696 igfxwl32.exe 32 PID 2696 wrote to memory of 2596 2696 igfxwl32.exe 32 PID 2696 wrote to memory of 2596 2696 igfxwl32.exe 32 PID 2596 wrote to memory of 2220 2596 igfxwl32.exe 33 PID 2596 wrote to memory of 2220 2596 igfxwl32.exe 33 PID 2596 wrote to memory of 2220 2596 igfxwl32.exe 33 PID 2596 wrote to memory of 2220 2596 igfxwl32.exe 33 PID 2220 wrote to memory of 1968 2220 igfxwl32.exe 34 PID 2220 wrote to memory of 1968 2220 igfxwl32.exe 34 PID 2220 wrote to memory of 1968 2220 igfxwl32.exe 34 PID 2220 wrote to memory of 1968 2220 igfxwl32.exe 34 PID 2220 wrote to memory of 1968 2220 igfxwl32.exe 34 PID 2220 wrote to memory of 1968 2220 igfxwl32.exe 34 PID 2220 wrote to memory of 1968 2220 igfxwl32.exe 34 PID 1968 wrote to memory of 884 1968 igfxwl32.exe 35 PID 1968 wrote to memory of 884 1968 igfxwl32.exe 35 PID 1968 wrote to memory of 884 1968 igfxwl32.exe 35 PID 1968 wrote to memory of 884 1968 igfxwl32.exe 35 PID 884 wrote to memory of 1548 884 igfxwl32.exe 36 PID 884 wrote to memory of 1548 884 igfxwl32.exe 36 PID 884 wrote to memory of 1548 884 igfxwl32.exe 36 PID 884 wrote to memory of 1548 884 igfxwl32.exe 36 PID 884 wrote to memory of 1548 884 igfxwl32.exe 36 PID 884 wrote to memory of 1548 884 igfxwl32.exe 36 PID 884 wrote to memory of 1548 884 igfxwl32.exe 36 PID 1548 wrote to memory of 1852 1548 igfxwl32.exe 37 PID 1548 wrote to memory of 1852 1548 igfxwl32.exe 37 PID 1548 wrote to memory of 1852 1548 igfxwl32.exe 37 PID 1548 wrote to memory of 1852 1548 igfxwl32.exe 37 PID 1852 wrote to memory of 1292 1852 igfxwl32.exe 38 PID 1852 wrote to memory of 1292 1852 igfxwl32.exe 38 PID 1852 wrote to memory of 1292 1852 igfxwl32.exe 38 PID 1852 wrote to memory of 1292 1852 igfxwl32.exe 38 PID 1852 wrote to memory of 1292 1852 igfxwl32.exe 38 PID 1852 wrote to memory of 1292 1852 igfxwl32.exe 38 PID 1852 wrote to memory of 1292 1852 igfxwl32.exe 38 PID 1292 wrote to memory of 2368 1292 igfxwl32.exe 39 PID 1292 wrote to memory of 2368 1292 igfxwl32.exe 39 PID 1292 wrote to memory of 2368 1292 igfxwl32.exe 39 PID 1292 wrote to memory of 2368 1292 igfxwl32.exe 39 PID 2368 wrote to memory of 2108 2368 igfxwl32.exe 40 PID 2368 wrote to memory of 2108 2368 igfxwl32.exe 40 PID 2368 wrote to memory of 2108 2368 igfxwl32.exe 40 PID 2368 wrote to memory of 2108 2368 igfxwl32.exe 40 PID 2368 wrote to memory of 2108 2368 igfxwl32.exe 40 PID 2368 wrote to memory of 2108 2368 igfxwl32.exe 40 PID 2368 wrote to memory of 2108 2368 igfxwl32.exe 40 PID 2108 wrote to memory of 2352 2108 igfxwl32.exe 41 PID 2108 wrote to memory of 2352 2108 igfxwl32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\ECB5EA~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\ECB5EA~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2188 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2208 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3056 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2728 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:476 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2356 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵
- Executes dropped EXE
PID:2520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5ecb5ea358c7ddbbc75cab797619d0361
SHA18746bbd3160e693526b7062b865c258ee403a7c7
SHA25676bc749e3c7bc69c5f12cc7763a0cbbf9260bf037e1c31d37b2a615341d46c12
SHA512fda865648fdc47d4e9bb650fddf6a7879522f1d9b249a290afbd9b97b5195eb6b2e2d592a2dad2740b6b2fe64a7ed816ee74941e50956c4c8e352bd716b29ffb