Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 14:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe
-
Size
168KB
-
MD5
f465b65fecc8ae9797e19e08e5ff4542
-
SHA1
19045b0714fc12714669128b65764d209c48a896
-
SHA256
d21db4c56c2bef6f00b65741a244565e367d3b0fbd2227badd2bacfed095d132
-
SHA512
bbc6a74bc7120bd0cfdd02041f996ee281b74a635d52b307fff5ed10ac29a7531af3ff2a479c89a2168cfb800e6568410272fd757f168f477e595a15ed757d1b
-
SSDEEP
3072:kVXn1IGhcaZcbFbfft25GfAc1Ye/dLZ2wcvTEr7Os4DiAh/H/dYOGRc1kG:smGabFbffR3jdNciF4DLhvl4M
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2760 igfxwk32.exe -
Executes dropped EXE 29 IoCs
pid Process 2832 igfxwk32.exe 2760 igfxwk32.exe 2800 igfxwk32.exe 2676 igfxwk32.exe 1804 igfxwk32.exe 2916 igfxwk32.exe 1200 igfxwk32.exe 580 igfxwk32.exe 236 igfxwk32.exe 2960 igfxwk32.exe 2400 igfxwk32.exe 1056 igfxwk32.exe 972 igfxwk32.exe 1560 igfxwk32.exe 920 igfxwk32.exe 1552 igfxwk32.exe 1724 igfxwk32.exe 1620 igfxwk32.exe 1268 igfxwk32.exe 2024 igfxwk32.exe 2852 igfxwk32.exe 2348 igfxwk32.exe 2892 igfxwk32.exe 2628 igfxwk32.exe 2196 igfxwk32.exe 2644 igfxwk32.exe 1252 igfxwk32.exe 996 igfxwk32.exe 1760 igfxwk32.exe -
Loads dropped DLL 29 IoCs
pid Process 3052 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 2832 igfxwk32.exe 2760 igfxwk32.exe 2800 igfxwk32.exe 2676 igfxwk32.exe 1804 igfxwk32.exe 2916 igfxwk32.exe 1200 igfxwk32.exe 580 igfxwk32.exe 236 igfxwk32.exe 2960 igfxwk32.exe 2400 igfxwk32.exe 1056 igfxwk32.exe 972 igfxwk32.exe 1560 igfxwk32.exe 920 igfxwk32.exe 1552 igfxwk32.exe 1724 igfxwk32.exe 1620 igfxwk32.exe 1268 igfxwk32.exe 2024 igfxwk32.exe 2852 igfxwk32.exe 2348 igfxwk32.exe 2892 igfxwk32.exe 2628 igfxwk32.exe 2196 igfxwk32.exe 2644 igfxwk32.exe 1252 igfxwk32.exe 996 igfxwk32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3036 set thread context of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 2832 set thread context of 2760 2832 igfxwk32.exe 33 PID 2800 set thread context of 2676 2800 igfxwk32.exe 35 PID 1804 set thread context of 2916 1804 igfxwk32.exe 37 PID 1200 set thread context of 580 1200 igfxwk32.exe 39 PID 236 set thread context of 2960 236 igfxwk32.exe 41 PID 2400 set thread context of 1056 2400 igfxwk32.exe 43 PID 972 set thread context of 1560 972 igfxwk32.exe 45 PID 920 set thread context of 1552 920 igfxwk32.exe 47 PID 1724 set thread context of 1620 1724 igfxwk32.exe 49 PID 1268 set thread context of 2024 1268 igfxwk32.exe 51 PID 2852 set thread context of 2348 2852 igfxwk32.exe 53 PID 2892 set thread context of 2628 2892 igfxwk32.exe 55 PID 2196 set thread context of 2644 2196 igfxwk32.exe 57 PID 1252 set thread context of 996 1252 igfxwk32.exe 59 -
resource yara_rule behavioral1/memory/3052-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2760-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2760-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2760-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2760-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2760-37-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2676-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2676-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2676-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2916-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2916-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2916-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/580-79-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/580-80-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/580-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2960-96-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2960-95-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2960-97-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2960-102-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1056-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1560-135-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1552-152-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1620-168-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2024-185-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-201-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2628-218-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2644-234-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/996-248-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3052 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 3052 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 2760 igfxwk32.exe 2760 igfxwk32.exe 2676 igfxwk32.exe 2676 igfxwk32.exe 2916 igfxwk32.exe 2916 igfxwk32.exe 580 igfxwk32.exe 580 igfxwk32.exe 2960 igfxwk32.exe 2960 igfxwk32.exe 1056 igfxwk32.exe 1056 igfxwk32.exe 1560 igfxwk32.exe 1560 igfxwk32.exe 1552 igfxwk32.exe 1552 igfxwk32.exe 1620 igfxwk32.exe 1620 igfxwk32.exe 2024 igfxwk32.exe 2024 igfxwk32.exe 2348 igfxwk32.exe 2348 igfxwk32.exe 2628 igfxwk32.exe 2628 igfxwk32.exe 2644 igfxwk32.exe 2644 igfxwk32.exe 996 igfxwk32.exe 996 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 3036 wrote to memory of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 3036 wrote to memory of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 3036 wrote to memory of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 3036 wrote to memory of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 3036 wrote to memory of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 3036 wrote to memory of 3052 3036 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 30 PID 3052 wrote to memory of 2832 3052 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 32 PID 3052 wrote to memory of 2832 3052 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 32 PID 3052 wrote to memory of 2832 3052 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 32 PID 3052 wrote to memory of 2832 3052 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 32 PID 2832 wrote to memory of 2760 2832 igfxwk32.exe 33 PID 2832 wrote to memory of 2760 2832 igfxwk32.exe 33 PID 2832 wrote to memory of 2760 2832 igfxwk32.exe 33 PID 2832 wrote to memory of 2760 2832 igfxwk32.exe 33 PID 2832 wrote to memory of 2760 2832 igfxwk32.exe 33 PID 2832 wrote to memory of 2760 2832 igfxwk32.exe 33 PID 2832 wrote to memory of 2760 2832 igfxwk32.exe 33 PID 2760 wrote to memory of 2800 2760 igfxwk32.exe 34 PID 2760 wrote to memory of 2800 2760 igfxwk32.exe 34 PID 2760 wrote to memory of 2800 2760 igfxwk32.exe 34 PID 2760 wrote to memory of 2800 2760 igfxwk32.exe 34 PID 2800 wrote to memory of 2676 2800 igfxwk32.exe 35 PID 2800 wrote to memory of 2676 2800 igfxwk32.exe 35 PID 2800 wrote to memory of 2676 2800 igfxwk32.exe 35 PID 2800 wrote to memory of 2676 2800 igfxwk32.exe 35 PID 2800 wrote to memory of 2676 2800 igfxwk32.exe 35 PID 2800 wrote to memory of 2676 2800 igfxwk32.exe 35 PID 2800 wrote to memory of 2676 2800 igfxwk32.exe 35 PID 2676 wrote to memory of 1804 2676 igfxwk32.exe 36 PID 2676 wrote to memory of 1804 2676 igfxwk32.exe 36 PID 2676 wrote to memory of 1804 2676 igfxwk32.exe 36 PID 2676 wrote to memory of 1804 2676 igfxwk32.exe 36 PID 1804 wrote to memory of 2916 1804 igfxwk32.exe 37 PID 1804 wrote to memory of 2916 1804 igfxwk32.exe 37 PID 1804 wrote to memory of 2916 1804 igfxwk32.exe 37 PID 1804 wrote to memory of 2916 1804 igfxwk32.exe 37 PID 1804 wrote to memory of 2916 1804 igfxwk32.exe 37 PID 1804 wrote to memory of 2916 1804 igfxwk32.exe 37 PID 1804 wrote to memory of 2916 1804 igfxwk32.exe 37 PID 2916 wrote to memory of 1200 2916 igfxwk32.exe 38 PID 2916 wrote to memory of 1200 2916 igfxwk32.exe 38 PID 2916 wrote to memory of 1200 2916 igfxwk32.exe 38 PID 2916 wrote to memory of 1200 2916 igfxwk32.exe 38 PID 1200 wrote to memory of 580 1200 igfxwk32.exe 39 PID 1200 wrote to memory of 580 1200 igfxwk32.exe 39 PID 1200 wrote to memory of 580 1200 igfxwk32.exe 39 PID 1200 wrote to memory of 580 1200 igfxwk32.exe 39 PID 1200 wrote to memory of 580 1200 igfxwk32.exe 39 PID 1200 wrote to memory of 580 1200 igfxwk32.exe 39 PID 1200 wrote to memory of 580 1200 igfxwk32.exe 39 PID 580 wrote to memory of 236 580 igfxwk32.exe 40 PID 580 wrote to memory of 236 580 igfxwk32.exe 40 PID 580 wrote to memory of 236 580 igfxwk32.exe 40 PID 580 wrote to memory of 236 580 igfxwk32.exe 40 PID 236 wrote to memory of 2960 236 igfxwk32.exe 41 PID 236 wrote to memory of 2960 236 igfxwk32.exe 41 PID 236 wrote to memory of 2960 236 igfxwk32.exe 41 PID 236 wrote to memory of 2960 236 igfxwk32.exe 41 PID 236 wrote to memory of 2960 236 igfxwk32.exe 41 PID 236 wrote to memory of 2960 236 igfxwk32.exe 41 PID 236 wrote to memory of 2960 236 igfxwk32.exe 41 PID 2960 wrote to memory of 2400 2960 igfxwk32.exe 42 PID 2960 wrote to memory of 2400 2960 igfxwk32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F465B6~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F465B6~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1056 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1560 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1552 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1620 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2644 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:996 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f465b65fecc8ae9797e19e08e5ff4542
SHA119045b0714fc12714669128b65764d209c48a896
SHA256d21db4c56c2bef6f00b65741a244565e367d3b0fbd2227badd2bacfed095d132
SHA512bbc6a74bc7120bd0cfdd02041f996ee281b74a635d52b307fff5ed10ac29a7531af3ff2a479c89a2168cfb800e6568410272fd757f168f477e595a15ed757d1b