Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 14:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe
-
Size
168KB
-
MD5
f465b65fecc8ae9797e19e08e5ff4542
-
SHA1
19045b0714fc12714669128b65764d209c48a896
-
SHA256
d21db4c56c2bef6f00b65741a244565e367d3b0fbd2227badd2bacfed095d132
-
SHA512
bbc6a74bc7120bd0cfdd02041f996ee281b74a635d52b307fff5ed10ac29a7531af3ff2a479c89a2168cfb800e6568410272fd757f168f477e595a15ed757d1b
-
SSDEEP
3072:kVXn1IGhcaZcbFbfft25GfAc1Ye/dLZ2wcvTEr7Os4DiAh/H/dYOGRc1kG:smGabFbffR3jdNciF4DLhvl4M
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 1276 igfxwk32.exe -
Executes dropped EXE 29 IoCs
pid Process 1508 igfxwk32.exe 1276 igfxwk32.exe 1420 igfxwk32.exe 4532 igfxwk32.exe 3400 igfxwk32.exe 1920 igfxwk32.exe 632 igfxwk32.exe 3036 igfxwk32.exe 2420 igfxwk32.exe 2592 igfxwk32.exe 4236 igfxwk32.exe 3852 igfxwk32.exe 4800 igfxwk32.exe 5048 igfxwk32.exe 4968 igfxwk32.exe 1284 igfxwk32.exe 1508 igfxwk32.exe 5100 igfxwk32.exe 1520 igfxwk32.exe 1008 igfxwk32.exe 3056 igfxwk32.exe 1648 igfxwk32.exe 3268 igfxwk32.exe 3916 igfxwk32.exe 976 igfxwk32.exe 4868 igfxwk32.exe 4696 igfxwk32.exe 920 igfxwk32.exe 1660 igfxwk32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2584 set thread context of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 1508 set thread context of 1276 1508 igfxwk32.exe 85 PID 1420 set thread context of 4532 1420 igfxwk32.exe 87 PID 3400 set thread context of 1920 3400 igfxwk32.exe 92 PID 632 set thread context of 3036 632 igfxwk32.exe 99 PID 2420 set thread context of 2592 2420 igfxwk32.exe 107 PID 4236 set thread context of 3852 4236 igfxwk32.exe 110 PID 4800 set thread context of 5048 4800 igfxwk32.exe 112 PID 4968 set thread context of 1284 4968 igfxwk32.exe 114 PID 1508 set thread context of 5100 1508 igfxwk32.exe 116 PID 1520 set thread context of 1008 1520 igfxwk32.exe 118 PID 3056 set thread context of 1648 3056 igfxwk32.exe 120 PID 3268 set thread context of 3916 3268 igfxwk32.exe 122 PID 976 set thread context of 4868 976 igfxwk32.exe 124 PID 4696 set thread context of 920 4696 igfxwk32.exe 126 -
resource yara_rule behavioral2/memory/3900-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3900-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3900-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3900-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3900-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1276-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1276-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4532-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1920-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3036-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2592-79-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3852-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5048-93-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1284-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5100-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1008-114-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1648-122-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3916-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4868-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/920-147-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3900 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 3900 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 3900 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 3900 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 1276 igfxwk32.exe 1276 igfxwk32.exe 1276 igfxwk32.exe 1276 igfxwk32.exe 4532 igfxwk32.exe 4532 igfxwk32.exe 4532 igfxwk32.exe 4532 igfxwk32.exe 1920 igfxwk32.exe 1920 igfxwk32.exe 1920 igfxwk32.exe 1920 igfxwk32.exe 3036 igfxwk32.exe 3036 igfxwk32.exe 3036 igfxwk32.exe 3036 igfxwk32.exe 2592 igfxwk32.exe 2592 igfxwk32.exe 2592 igfxwk32.exe 2592 igfxwk32.exe 3852 igfxwk32.exe 3852 igfxwk32.exe 3852 igfxwk32.exe 3852 igfxwk32.exe 5048 igfxwk32.exe 5048 igfxwk32.exe 5048 igfxwk32.exe 5048 igfxwk32.exe 1284 igfxwk32.exe 1284 igfxwk32.exe 1284 igfxwk32.exe 1284 igfxwk32.exe 5100 igfxwk32.exe 5100 igfxwk32.exe 5100 igfxwk32.exe 5100 igfxwk32.exe 1008 igfxwk32.exe 1008 igfxwk32.exe 1008 igfxwk32.exe 1008 igfxwk32.exe 1648 igfxwk32.exe 1648 igfxwk32.exe 1648 igfxwk32.exe 1648 igfxwk32.exe 3916 igfxwk32.exe 3916 igfxwk32.exe 3916 igfxwk32.exe 3916 igfxwk32.exe 4868 igfxwk32.exe 4868 igfxwk32.exe 4868 igfxwk32.exe 4868 igfxwk32.exe 920 igfxwk32.exe 920 igfxwk32.exe 920 igfxwk32.exe 920 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 2584 wrote to memory of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 2584 wrote to memory of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 2584 wrote to memory of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 2584 wrote to memory of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 2584 wrote to memory of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 2584 wrote to memory of 3900 2584 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 83 PID 3900 wrote to memory of 1508 3900 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 84 PID 3900 wrote to memory of 1508 3900 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 84 PID 3900 wrote to memory of 1508 3900 f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe 84 PID 1508 wrote to memory of 1276 1508 igfxwk32.exe 85 PID 1508 wrote to memory of 1276 1508 igfxwk32.exe 85 PID 1508 wrote to memory of 1276 1508 igfxwk32.exe 85 PID 1508 wrote to memory of 1276 1508 igfxwk32.exe 85 PID 1508 wrote to memory of 1276 1508 igfxwk32.exe 85 PID 1508 wrote to memory of 1276 1508 igfxwk32.exe 85 PID 1508 wrote to memory of 1276 1508 igfxwk32.exe 85 PID 1276 wrote to memory of 1420 1276 igfxwk32.exe 86 PID 1276 wrote to memory of 1420 1276 igfxwk32.exe 86 PID 1276 wrote to memory of 1420 1276 igfxwk32.exe 86 PID 1420 wrote to memory of 4532 1420 igfxwk32.exe 87 PID 1420 wrote to memory of 4532 1420 igfxwk32.exe 87 PID 1420 wrote to memory of 4532 1420 igfxwk32.exe 87 PID 1420 wrote to memory of 4532 1420 igfxwk32.exe 87 PID 1420 wrote to memory of 4532 1420 igfxwk32.exe 87 PID 1420 wrote to memory of 4532 1420 igfxwk32.exe 87 PID 1420 wrote to memory of 4532 1420 igfxwk32.exe 87 PID 4532 wrote to memory of 3400 4532 igfxwk32.exe 91 PID 4532 wrote to memory of 3400 4532 igfxwk32.exe 91 PID 4532 wrote to memory of 3400 4532 igfxwk32.exe 91 PID 3400 wrote to memory of 1920 3400 igfxwk32.exe 92 PID 3400 wrote to memory of 1920 3400 igfxwk32.exe 92 PID 3400 wrote to memory of 1920 3400 igfxwk32.exe 92 PID 3400 wrote to memory of 1920 3400 igfxwk32.exe 92 PID 3400 wrote to memory of 1920 3400 igfxwk32.exe 92 PID 3400 wrote to memory of 1920 3400 igfxwk32.exe 92 PID 3400 wrote to memory of 1920 3400 igfxwk32.exe 92 PID 1920 wrote to memory of 632 1920 igfxwk32.exe 93 PID 1920 wrote to memory of 632 1920 igfxwk32.exe 93 PID 1920 wrote to memory of 632 1920 igfxwk32.exe 93 PID 632 wrote to memory of 3036 632 igfxwk32.exe 99 PID 632 wrote to memory of 3036 632 igfxwk32.exe 99 PID 632 wrote to memory of 3036 632 igfxwk32.exe 99 PID 632 wrote to memory of 3036 632 igfxwk32.exe 99 PID 632 wrote to memory of 3036 632 igfxwk32.exe 99 PID 632 wrote to memory of 3036 632 igfxwk32.exe 99 PID 632 wrote to memory of 3036 632 igfxwk32.exe 99 PID 3036 wrote to memory of 2420 3036 igfxwk32.exe 102 PID 3036 wrote to memory of 2420 3036 igfxwk32.exe 102 PID 3036 wrote to memory of 2420 3036 igfxwk32.exe 102 PID 2420 wrote to memory of 2592 2420 igfxwk32.exe 107 PID 2420 wrote to memory of 2592 2420 igfxwk32.exe 107 PID 2420 wrote to memory of 2592 2420 igfxwk32.exe 107 PID 2420 wrote to memory of 2592 2420 igfxwk32.exe 107 PID 2420 wrote to memory of 2592 2420 igfxwk32.exe 107 PID 2420 wrote to memory of 2592 2420 igfxwk32.exe 107 PID 2420 wrote to memory of 2592 2420 igfxwk32.exe 107 PID 2592 wrote to memory of 4236 2592 igfxwk32.exe 108 PID 2592 wrote to memory of 4236 2592 igfxwk32.exe 108 PID 2592 wrote to memory of 4236 2592 igfxwk32.exe 108 PID 4236 wrote to memory of 3852 4236 igfxwk32.exe 110 PID 4236 wrote to memory of 3852 4236 igfxwk32.exe 110 PID 4236 wrote to memory of 3852 4236 igfxwk32.exe 110 PID 4236 wrote to memory of 3852 4236 igfxwk32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f465b65fecc8ae9797e19e08e5ff4542_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F465B6~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F465B6~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3852 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5048 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1284 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5100 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1008 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1648 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3916 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4868 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:920 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
PID:1660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f465b65fecc8ae9797e19e08e5ff4542
SHA119045b0714fc12714669128b65764d209c48a896
SHA256d21db4c56c2bef6f00b65741a244565e367d3b0fbd2227badd2bacfed095d132
SHA512bbc6a74bc7120bd0cfdd02041f996ee281b74a635d52b307fff5ed10ac29a7531af3ff2a479c89a2168cfb800e6568410272fd757f168f477e595a15ed757d1b