Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 16:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe
-
Size
172KB
-
MD5
ffd4bab349d0e0b144a37f0a58fdb2cf
-
SHA1
d183c443613907425c0dc817e84c8eed28264f5c
-
SHA256
243e79f0ebde6e3baa2bf90e9f2fba20a40eb767476c1d35c30835dec3d7a5a9
-
SHA512
82c9e100757ea7e36a0bb470e9a6952b129a0ef231587d8f25d5d25c3f1250393fa4c54d4c4a135eaecd4ae9ea9f01864121e0705920713cad2f09e26c77abb8
-
SSDEEP
3072:I3BgR+HseFAxfe2/t+F8sbW27OFR4oudgbecnycoO0qL0BANi:GBX8Zt+FhbW27OYVeCeyRO0qWR
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2800 igfxpk32.exe -
Executes dropped EXE 33 IoCs
pid Process 2632 igfxpk32.exe 2800 igfxpk32.exe 2076 igfxpk32.exe 2676 igfxpk32.exe 1984 igfxpk32.exe 1632 igfxpk32.exe 2860 igfxpk32.exe 804 igfxpk32.exe 1140 igfxpk32.exe 2292 igfxpk32.exe 2088 igfxpk32.exe 1912 igfxpk32.exe 1764 igfxpk32.exe 1860 igfxpk32.exe 1788 igfxpk32.exe 1804 igfxpk32.exe 1696 igfxpk32.exe 236 igfxpk32.exe 1600 igfxpk32.exe 2636 igfxpk32.exe 2832 igfxpk32.exe 2096 igfxpk32.exe 2700 igfxpk32.exe 2692 igfxpk32.exe 1972 igfxpk32.exe 1984 igfxpk32.exe 2884 igfxpk32.exe 1080 igfxpk32.exe 1752 igfxpk32.exe 2196 igfxpk32.exe 1924 igfxpk32.exe 2172 igfxpk32.exe 1916 igfxpk32.exe -
Loads dropped DLL 33 IoCs
pid Process 1584 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 2632 igfxpk32.exe 2800 igfxpk32.exe 2076 igfxpk32.exe 2676 igfxpk32.exe 1984 igfxpk32.exe 1632 igfxpk32.exe 2860 igfxpk32.exe 804 igfxpk32.exe 1140 igfxpk32.exe 2292 igfxpk32.exe 2088 igfxpk32.exe 1912 igfxpk32.exe 1764 igfxpk32.exe 1860 igfxpk32.exe 1788 igfxpk32.exe 1804 igfxpk32.exe 1696 igfxpk32.exe 236 igfxpk32.exe 1600 igfxpk32.exe 2636 igfxpk32.exe 2832 igfxpk32.exe 2096 igfxpk32.exe 2700 igfxpk32.exe 2692 igfxpk32.exe 1972 igfxpk32.exe 1984 igfxpk32.exe 2884 igfxpk32.exe 1080 igfxpk32.exe 1752 igfxpk32.exe 2196 igfxpk32.exe 1924 igfxpk32.exe 2172 igfxpk32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpk32.exe ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 1220 set thread context of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 2632 set thread context of 2800 2632 igfxpk32.exe 33 PID 2076 set thread context of 2676 2076 igfxpk32.exe 35 PID 1984 set thread context of 1632 1984 igfxpk32.exe 37 PID 2860 set thread context of 804 2860 igfxpk32.exe 39 PID 1140 set thread context of 2292 1140 igfxpk32.exe 41 PID 2088 set thread context of 1912 2088 igfxpk32.exe 43 PID 1764 set thread context of 1860 1764 igfxpk32.exe 45 PID 1788 set thread context of 1804 1788 igfxpk32.exe 47 PID 1696 set thread context of 236 1696 igfxpk32.exe 49 PID 1600 set thread context of 2636 1600 igfxpk32.exe 51 PID 2832 set thread context of 2096 2832 igfxpk32.exe 53 PID 2700 set thread context of 2692 2700 igfxpk32.exe 55 PID 1972 set thread context of 1984 1972 igfxpk32.exe 57 PID 2884 set thread context of 1080 2884 igfxpk32.exe 59 PID 1752 set thread context of 2196 1752 igfxpk32.exe 61 PID 1924 set thread context of 2172 1924 igfxpk32.exe 63 -
resource yara_rule behavioral1/memory/1584-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2800-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2800-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2800-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2800-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2800-35-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2676-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2676-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1632-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/804-80-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/804-87-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2292-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2292-104-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1912-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1860-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1860-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1804-147-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1804-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/236-165-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/236-172-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2636-183-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2636-190-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2096-206-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2692-223-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1984-239-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1080-252-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-260-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-265-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2172-273-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2172-278-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1584 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 1584 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 2800 igfxpk32.exe 2800 igfxpk32.exe 2676 igfxpk32.exe 2676 igfxpk32.exe 1632 igfxpk32.exe 1632 igfxpk32.exe 804 igfxpk32.exe 804 igfxpk32.exe 2292 igfxpk32.exe 2292 igfxpk32.exe 1912 igfxpk32.exe 1912 igfxpk32.exe 1860 igfxpk32.exe 1860 igfxpk32.exe 1804 igfxpk32.exe 1804 igfxpk32.exe 236 igfxpk32.exe 236 igfxpk32.exe 2636 igfxpk32.exe 2636 igfxpk32.exe 2096 igfxpk32.exe 2096 igfxpk32.exe 2692 igfxpk32.exe 2692 igfxpk32.exe 1984 igfxpk32.exe 1984 igfxpk32.exe 1080 igfxpk32.exe 1080 igfxpk32.exe 2196 igfxpk32.exe 2196 igfxpk32.exe 2172 igfxpk32.exe 2172 igfxpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 1220 wrote to memory of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 1220 wrote to memory of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 1220 wrote to memory of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 1220 wrote to memory of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 1220 wrote to memory of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 1220 wrote to memory of 1584 1220 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 30 PID 1584 wrote to memory of 2632 1584 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 32 PID 1584 wrote to memory of 2632 1584 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 32 PID 1584 wrote to memory of 2632 1584 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 32 PID 1584 wrote to memory of 2632 1584 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 32 PID 2632 wrote to memory of 2800 2632 igfxpk32.exe 33 PID 2632 wrote to memory of 2800 2632 igfxpk32.exe 33 PID 2632 wrote to memory of 2800 2632 igfxpk32.exe 33 PID 2632 wrote to memory of 2800 2632 igfxpk32.exe 33 PID 2632 wrote to memory of 2800 2632 igfxpk32.exe 33 PID 2632 wrote to memory of 2800 2632 igfxpk32.exe 33 PID 2632 wrote to memory of 2800 2632 igfxpk32.exe 33 PID 2800 wrote to memory of 2076 2800 igfxpk32.exe 34 PID 2800 wrote to memory of 2076 2800 igfxpk32.exe 34 PID 2800 wrote to memory of 2076 2800 igfxpk32.exe 34 PID 2800 wrote to memory of 2076 2800 igfxpk32.exe 34 PID 2076 wrote to memory of 2676 2076 igfxpk32.exe 35 PID 2076 wrote to memory of 2676 2076 igfxpk32.exe 35 PID 2076 wrote to memory of 2676 2076 igfxpk32.exe 35 PID 2076 wrote to memory of 2676 2076 igfxpk32.exe 35 PID 2076 wrote to memory of 2676 2076 igfxpk32.exe 35 PID 2076 wrote to memory of 2676 2076 igfxpk32.exe 35 PID 2076 wrote to memory of 2676 2076 igfxpk32.exe 35 PID 2676 wrote to memory of 1984 2676 igfxpk32.exe 36 PID 2676 wrote to memory of 1984 2676 igfxpk32.exe 36 PID 2676 wrote to memory of 1984 2676 igfxpk32.exe 36 PID 2676 wrote to memory of 1984 2676 igfxpk32.exe 36 PID 1984 wrote to memory of 1632 1984 igfxpk32.exe 37 PID 1984 wrote to memory of 1632 1984 igfxpk32.exe 37 PID 1984 wrote to memory of 1632 1984 igfxpk32.exe 37 PID 1984 wrote to memory of 1632 1984 igfxpk32.exe 37 PID 1984 wrote to memory of 1632 1984 igfxpk32.exe 37 PID 1984 wrote to memory of 1632 1984 igfxpk32.exe 37 PID 1984 wrote to memory of 1632 1984 igfxpk32.exe 37 PID 1632 wrote to memory of 2860 1632 igfxpk32.exe 38 PID 1632 wrote to memory of 2860 1632 igfxpk32.exe 38 PID 1632 wrote to memory of 2860 1632 igfxpk32.exe 38 PID 1632 wrote to memory of 2860 1632 igfxpk32.exe 38 PID 2860 wrote to memory of 804 2860 igfxpk32.exe 39 PID 2860 wrote to memory of 804 2860 igfxpk32.exe 39 PID 2860 wrote to memory of 804 2860 igfxpk32.exe 39 PID 2860 wrote to memory of 804 2860 igfxpk32.exe 39 PID 2860 wrote to memory of 804 2860 igfxpk32.exe 39 PID 2860 wrote to memory of 804 2860 igfxpk32.exe 39 PID 2860 wrote to memory of 804 2860 igfxpk32.exe 39 PID 804 wrote to memory of 1140 804 igfxpk32.exe 40 PID 804 wrote to memory of 1140 804 igfxpk32.exe 40 PID 804 wrote to memory of 1140 804 igfxpk32.exe 40 PID 804 wrote to memory of 1140 804 igfxpk32.exe 40 PID 1140 wrote to memory of 2292 1140 igfxpk32.exe 41 PID 1140 wrote to memory of 2292 1140 igfxpk32.exe 41 PID 1140 wrote to memory of 2292 1140 igfxpk32.exe 41 PID 1140 wrote to memory of 2292 1140 igfxpk32.exe 41 PID 1140 wrote to memory of 2292 1140 igfxpk32.exe 41 PID 1140 wrote to memory of 2292 1140 igfxpk32.exe 41 PID 1140 wrote to memory of 2292 1140 igfxpk32.exe 41 PID 2292 wrote to memory of 2088 2292 igfxpk32.exe 42 PID 2292 wrote to memory of 2088 2292 igfxpk32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\FFD4BA~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\FFD4BA~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1912 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1860 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1804 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:236 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2692 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1984 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1080 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2196 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe35⤵
- Executes dropped EXE
PID:1916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5ffd4bab349d0e0b144a37f0a58fdb2cf
SHA1d183c443613907425c0dc817e84c8eed28264f5c
SHA256243e79f0ebde6e3baa2bf90e9f2fba20a40eb767476c1d35c30835dec3d7a5a9
SHA51282c9e100757ea7e36a0bb470e9a6952b129a0ef231587d8f25d5d25c3f1250393fa4c54d4c4a135eaecd4ae9ea9f01864121e0705920713cad2f09e26c77abb8