Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 03:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe
-
Size
174KB
-
MD5
f9f82b6aac7b0b7c915b77310c06eee7
-
SHA1
73a1d283e61264dd83f44b6eeaf3d79cd9632fe0
-
SHA256
61f7020639465ea2de465a86d4fb42af808e5bfc2955507b201bfdf5e653750b
-
SHA512
38422cba36fac7c38645af8569be2f4e69e26ca5709c0c15a760789ebdbb124eef380b3eb694d75d5d5f89f0a7974d8c441903500db4ebdf903267881557536f
-
SSDEEP
3072:V6sIBFdzCbwci5n0mmFiU/RxPyTNpY3a1OdCaD90Mq+EIoow562:4zC8fq5/CQK1Pa8wn2
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation igfxwt32.exe -
Deletes itself 1 IoCs
pid Process 4268 igfxwt32.exe -
Executes dropped EXE 29 IoCs
pid Process 3460 igfxwt32.exe 4268 igfxwt32.exe 4068 igfxwt32.exe 1676 igfxwt32.exe 2028 igfxwt32.exe 5072 igfxwt32.exe 552 igfxwt32.exe 5080 igfxwt32.exe 4012 igfxwt32.exe 1988 igfxwt32.exe 4400 igfxwt32.exe 2480 igfxwt32.exe 4908 igfxwt32.exe 1552 igfxwt32.exe 2464 igfxwt32.exe 1580 igfxwt32.exe 2960 igfxwt32.exe 3560 igfxwt32.exe 3644 igfxwt32.exe 4388 igfxwt32.exe 3528 igfxwt32.exe 5088 igfxwt32.exe 2764 igfxwt32.exe 3360 igfxwt32.exe 2780 igfxwt32.exe 3332 igfxwt32.exe 3348 igfxwt32.exe 496 igfxwt32.exe 2168 igfxwt32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwt32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwt32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\ igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File opened for modification C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe File created C:\Windows\SysWOW64\igfxwt32.exe igfxwt32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3900 set thread context of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 3460 set thread context of 4268 3460 igfxwt32.exe 97 PID 4068 set thread context of 1676 4068 igfxwt32.exe 99 PID 2028 set thread context of 5072 2028 igfxwt32.exe 104 PID 552 set thread context of 5080 552 igfxwt32.exe 106 PID 4012 set thread context of 1988 4012 igfxwt32.exe 108 PID 4400 set thread context of 2480 4400 igfxwt32.exe 111 PID 4908 set thread context of 1552 4908 igfxwt32.exe 113 PID 2464 set thread context of 1580 2464 igfxwt32.exe 115 PID 2960 set thread context of 3560 2960 igfxwt32.exe 117 PID 3644 set thread context of 4388 3644 igfxwt32.exe 119 PID 3528 set thread context of 5088 3528 igfxwt32.exe 121 PID 2764 set thread context of 3360 2764 igfxwt32.exe 123 PID 2780 set thread context of 3332 2780 igfxwt32.exe 125 PID 3348 set thread context of 496 3348 igfxwt32.exe 127 -
resource yara_rule behavioral2/memory/4984-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4984-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4984-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4984-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4984-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4268-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4268-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4268-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4268-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1676-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5072-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5080-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1988-75-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2480-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1552-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1580-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3560-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4388-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5088-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3360-128-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3332-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/496-144-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwt32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwt32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4984 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 4984 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 4984 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 4984 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 4268 igfxwt32.exe 4268 igfxwt32.exe 4268 igfxwt32.exe 4268 igfxwt32.exe 1676 igfxwt32.exe 1676 igfxwt32.exe 1676 igfxwt32.exe 1676 igfxwt32.exe 5072 igfxwt32.exe 5072 igfxwt32.exe 5072 igfxwt32.exe 5072 igfxwt32.exe 5080 igfxwt32.exe 5080 igfxwt32.exe 5080 igfxwt32.exe 5080 igfxwt32.exe 1988 igfxwt32.exe 1988 igfxwt32.exe 1988 igfxwt32.exe 1988 igfxwt32.exe 2480 igfxwt32.exe 2480 igfxwt32.exe 2480 igfxwt32.exe 2480 igfxwt32.exe 1552 igfxwt32.exe 1552 igfxwt32.exe 1552 igfxwt32.exe 1552 igfxwt32.exe 1580 igfxwt32.exe 1580 igfxwt32.exe 1580 igfxwt32.exe 1580 igfxwt32.exe 3560 igfxwt32.exe 3560 igfxwt32.exe 3560 igfxwt32.exe 3560 igfxwt32.exe 4388 igfxwt32.exe 4388 igfxwt32.exe 4388 igfxwt32.exe 4388 igfxwt32.exe 5088 igfxwt32.exe 5088 igfxwt32.exe 5088 igfxwt32.exe 5088 igfxwt32.exe 3360 igfxwt32.exe 3360 igfxwt32.exe 3360 igfxwt32.exe 3360 igfxwt32.exe 3332 igfxwt32.exe 3332 igfxwt32.exe 3332 igfxwt32.exe 3332 igfxwt32.exe 496 igfxwt32.exe 496 igfxwt32.exe 496 igfxwt32.exe 496 igfxwt32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3900 wrote to memory of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 3900 wrote to memory of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 3900 wrote to memory of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 3900 wrote to memory of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 3900 wrote to memory of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 3900 wrote to memory of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 3900 wrote to memory of 4984 3900 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 89 PID 4984 wrote to memory of 3460 4984 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 90 PID 4984 wrote to memory of 3460 4984 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 90 PID 4984 wrote to memory of 3460 4984 f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe 90 PID 3460 wrote to memory of 4268 3460 igfxwt32.exe 97 PID 3460 wrote to memory of 4268 3460 igfxwt32.exe 97 PID 3460 wrote to memory of 4268 3460 igfxwt32.exe 97 PID 3460 wrote to memory of 4268 3460 igfxwt32.exe 97 PID 3460 wrote to memory of 4268 3460 igfxwt32.exe 97 PID 3460 wrote to memory of 4268 3460 igfxwt32.exe 97 PID 3460 wrote to memory of 4268 3460 igfxwt32.exe 97 PID 4268 wrote to memory of 4068 4268 igfxwt32.exe 98 PID 4268 wrote to memory of 4068 4268 igfxwt32.exe 98 PID 4268 wrote to memory of 4068 4268 igfxwt32.exe 98 PID 4068 wrote to memory of 1676 4068 igfxwt32.exe 99 PID 4068 wrote to memory of 1676 4068 igfxwt32.exe 99 PID 4068 wrote to memory of 1676 4068 igfxwt32.exe 99 PID 4068 wrote to memory of 1676 4068 igfxwt32.exe 99 PID 4068 wrote to memory of 1676 4068 igfxwt32.exe 99 PID 4068 wrote to memory of 1676 4068 igfxwt32.exe 99 PID 4068 wrote to memory of 1676 4068 igfxwt32.exe 99 PID 1676 wrote to memory of 2028 1676 igfxwt32.exe 102 PID 1676 wrote to memory of 2028 1676 igfxwt32.exe 102 PID 1676 wrote to memory of 2028 1676 igfxwt32.exe 102 PID 2028 wrote to memory of 5072 2028 igfxwt32.exe 104 PID 2028 wrote to memory of 5072 2028 igfxwt32.exe 104 PID 2028 wrote to memory of 5072 2028 igfxwt32.exe 104 PID 2028 wrote to memory of 5072 2028 igfxwt32.exe 104 PID 2028 wrote to memory of 5072 2028 igfxwt32.exe 104 PID 2028 wrote to memory of 5072 2028 igfxwt32.exe 104 PID 2028 wrote to memory of 5072 2028 igfxwt32.exe 104 PID 5072 wrote to memory of 552 5072 igfxwt32.exe 105 PID 5072 wrote to memory of 552 5072 igfxwt32.exe 105 PID 5072 wrote to memory of 552 5072 igfxwt32.exe 105 PID 552 wrote to memory of 5080 552 igfxwt32.exe 106 PID 552 wrote to memory of 5080 552 igfxwt32.exe 106 PID 552 wrote to memory of 5080 552 igfxwt32.exe 106 PID 552 wrote to memory of 5080 552 igfxwt32.exe 106 PID 552 wrote to memory of 5080 552 igfxwt32.exe 106 PID 552 wrote to memory of 5080 552 igfxwt32.exe 106 PID 552 wrote to memory of 5080 552 igfxwt32.exe 106 PID 5080 wrote to memory of 4012 5080 igfxwt32.exe 107 PID 5080 wrote to memory of 4012 5080 igfxwt32.exe 107 PID 5080 wrote to memory of 4012 5080 igfxwt32.exe 107 PID 4012 wrote to memory of 1988 4012 igfxwt32.exe 108 PID 4012 wrote to memory of 1988 4012 igfxwt32.exe 108 PID 4012 wrote to memory of 1988 4012 igfxwt32.exe 108 PID 4012 wrote to memory of 1988 4012 igfxwt32.exe 108 PID 4012 wrote to memory of 1988 4012 igfxwt32.exe 108 PID 4012 wrote to memory of 1988 4012 igfxwt32.exe 108 PID 4012 wrote to memory of 1988 4012 igfxwt32.exe 108 PID 1988 wrote to memory of 4400 1988 igfxwt32.exe 109 PID 1988 wrote to memory of 4400 1988 igfxwt32.exe 109 PID 1988 wrote to memory of 4400 1988 igfxwt32.exe 109 PID 4400 wrote to memory of 2480 4400 igfxwt32.exe 111 PID 4400 wrote to memory of 2480 4400 igfxwt32.exe 111 PID 4400 wrote to memory of 2480 4400 igfxwt32.exe 111 PID 4400 wrote to memory of 2480 4400 igfxwt32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9f82b6aac7b0b7c915b77310c06eee7_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Users\Admin\AppData\Local\Temp\F9F82B~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Users\Admin\AppData\Local\Temp\F9F82B~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2480 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1552 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3560 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4388 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5088 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3360 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3332 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:496 -
C:\Windows\SysWOW64\igfxwt32.exe"C:\Windows\system32\igfxwt32.exe" C:\Windows\SysWOW64\igfxwt32.exe31⤵
- Executes dropped EXE
PID:2168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5f9f82b6aac7b0b7c915b77310c06eee7
SHA173a1d283e61264dd83f44b6eeaf3d79cd9632fe0
SHA25661f7020639465ea2de465a86d4fb42af808e5bfc2955507b201bfdf5e653750b
SHA51238422cba36fac7c38645af8569be2f4e69e26ca5709c0c15a760789ebdbb124eef380b3eb694d75d5d5f89f0a7974d8c441903500db4ebdf903267881557536f