Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 16:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe
-
Size
172KB
-
MD5
ffd4bab349d0e0b144a37f0a58fdb2cf
-
SHA1
d183c443613907425c0dc817e84c8eed28264f5c
-
SHA256
243e79f0ebde6e3baa2bf90e9f2fba20a40eb767476c1d35c30835dec3d7a5a9
-
SHA512
82c9e100757ea7e36a0bb470e9a6952b129a0ef231587d8f25d5d25c3f1250393fa4c54d4c4a135eaecd4ae9ea9f01864121e0705920713cad2f09e26c77abb8
-
SSDEEP
3072:I3BgR+HseFAxfe2/t+F8sbW27OFR4oudgbecnycoO0qL0BANi:GBX8Zt+FhbW27OYVeCeyRO0qWR
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxpk32.exe -
Deletes itself 1 IoCs
pid Process 1488 igfxpk32.exe -
Executes dropped EXE 33 IoCs
pid Process 116 igfxpk32.exe 1488 igfxpk32.exe 4500 igfxpk32.exe 5040 igfxpk32.exe 3988 igfxpk32.exe 1540 igfxpk32.exe 2576 igfxpk32.exe 2060 igfxpk32.exe 4532 igfxpk32.exe 2936 igfxpk32.exe 4588 igfxpk32.exe 2428 igfxpk32.exe 1384 igfxpk32.exe 3532 igfxpk32.exe 1988 igfxpk32.exe 3576 igfxpk32.exe 964 igfxpk32.exe 2668 igfxpk32.exe 1380 igfxpk32.exe 4744 igfxpk32.exe 4052 igfxpk32.exe 4472 igfxpk32.exe 4760 igfxpk32.exe 3712 igfxpk32.exe 4724 igfxpk32.exe 3124 igfxpk32.exe 840 igfxpk32.exe 4380 igfxpk32.exe 3508 igfxpk32.exe 2764 igfxpk32.exe 3468 igfxpk32.exe 5068 igfxpk32.exe 4464 igfxpk32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4744 set thread context of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 116 set thread context of 1488 116 igfxpk32.exe 84 PID 4500 set thread context of 5040 4500 igfxpk32.exe 86 PID 3988 set thread context of 1540 3988 igfxpk32.exe 90 PID 2576 set thread context of 2060 2576 igfxpk32.exe 92 PID 4532 set thread context of 2936 4532 igfxpk32.exe 96 PID 4588 set thread context of 2428 4588 igfxpk32.exe 102 PID 1384 set thread context of 3532 1384 igfxpk32.exe 104 PID 1988 set thread context of 3576 1988 igfxpk32.exe 106 PID 964 set thread context of 2668 964 igfxpk32.exe 108 PID 1380 set thread context of 4744 1380 igfxpk32.exe 110 PID 4052 set thread context of 4472 4052 igfxpk32.exe 112 PID 4760 set thread context of 3712 4760 igfxpk32.exe 114 PID 4724 set thread context of 3124 4724 igfxpk32.exe 116 PID 840 set thread context of 4380 840 igfxpk32.exe 118 PID 3508 set thread context of 2764 3508 igfxpk32.exe 120 PID 3468 set thread context of 5068 3468 igfxpk32.exe 122 -
resource yara_rule behavioral2/memory/1412-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1412-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1412-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1412-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1412-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1488-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1488-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1488-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1488-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5040-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1540-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2060-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2936-78-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2428-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3532-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3576-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2668-106-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4744-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4472-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4472-118-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4472-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3712-130-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3124-138-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4380-146-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2764-154-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5068-162-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1412 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 1412 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 1412 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 1412 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 1488 igfxpk32.exe 1488 igfxpk32.exe 1488 igfxpk32.exe 1488 igfxpk32.exe 5040 igfxpk32.exe 5040 igfxpk32.exe 5040 igfxpk32.exe 5040 igfxpk32.exe 1540 igfxpk32.exe 1540 igfxpk32.exe 1540 igfxpk32.exe 1540 igfxpk32.exe 2060 igfxpk32.exe 2060 igfxpk32.exe 2060 igfxpk32.exe 2060 igfxpk32.exe 2936 igfxpk32.exe 2936 igfxpk32.exe 2936 igfxpk32.exe 2936 igfxpk32.exe 2428 igfxpk32.exe 2428 igfxpk32.exe 2428 igfxpk32.exe 2428 igfxpk32.exe 3532 igfxpk32.exe 3532 igfxpk32.exe 3532 igfxpk32.exe 3532 igfxpk32.exe 3576 igfxpk32.exe 3576 igfxpk32.exe 3576 igfxpk32.exe 3576 igfxpk32.exe 2668 igfxpk32.exe 2668 igfxpk32.exe 2668 igfxpk32.exe 2668 igfxpk32.exe 4744 igfxpk32.exe 4744 igfxpk32.exe 4744 igfxpk32.exe 4744 igfxpk32.exe 4472 igfxpk32.exe 4472 igfxpk32.exe 4472 igfxpk32.exe 4472 igfxpk32.exe 3712 igfxpk32.exe 3712 igfxpk32.exe 3712 igfxpk32.exe 3712 igfxpk32.exe 3124 igfxpk32.exe 3124 igfxpk32.exe 3124 igfxpk32.exe 3124 igfxpk32.exe 4380 igfxpk32.exe 4380 igfxpk32.exe 4380 igfxpk32.exe 4380 igfxpk32.exe 2764 igfxpk32.exe 2764 igfxpk32.exe 2764 igfxpk32.exe 2764 igfxpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4744 wrote to memory of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 4744 wrote to memory of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 4744 wrote to memory of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 4744 wrote to memory of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 4744 wrote to memory of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 4744 wrote to memory of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 4744 wrote to memory of 1412 4744 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 82 PID 1412 wrote to memory of 116 1412 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 83 PID 1412 wrote to memory of 116 1412 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 83 PID 1412 wrote to memory of 116 1412 ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe 83 PID 116 wrote to memory of 1488 116 igfxpk32.exe 84 PID 116 wrote to memory of 1488 116 igfxpk32.exe 84 PID 116 wrote to memory of 1488 116 igfxpk32.exe 84 PID 116 wrote to memory of 1488 116 igfxpk32.exe 84 PID 116 wrote to memory of 1488 116 igfxpk32.exe 84 PID 116 wrote to memory of 1488 116 igfxpk32.exe 84 PID 116 wrote to memory of 1488 116 igfxpk32.exe 84 PID 1488 wrote to memory of 4500 1488 igfxpk32.exe 85 PID 1488 wrote to memory of 4500 1488 igfxpk32.exe 85 PID 1488 wrote to memory of 4500 1488 igfxpk32.exe 85 PID 4500 wrote to memory of 5040 4500 igfxpk32.exe 86 PID 4500 wrote to memory of 5040 4500 igfxpk32.exe 86 PID 4500 wrote to memory of 5040 4500 igfxpk32.exe 86 PID 4500 wrote to memory of 5040 4500 igfxpk32.exe 86 PID 4500 wrote to memory of 5040 4500 igfxpk32.exe 86 PID 4500 wrote to memory of 5040 4500 igfxpk32.exe 86 PID 4500 wrote to memory of 5040 4500 igfxpk32.exe 86 PID 5040 wrote to memory of 3988 5040 igfxpk32.exe 87 PID 5040 wrote to memory of 3988 5040 igfxpk32.exe 87 PID 5040 wrote to memory of 3988 5040 igfxpk32.exe 87 PID 3988 wrote to memory of 1540 3988 igfxpk32.exe 90 PID 3988 wrote to memory of 1540 3988 igfxpk32.exe 90 PID 3988 wrote to memory of 1540 3988 igfxpk32.exe 90 PID 3988 wrote to memory of 1540 3988 igfxpk32.exe 90 PID 3988 wrote to memory of 1540 3988 igfxpk32.exe 90 PID 3988 wrote to memory of 1540 3988 igfxpk32.exe 90 PID 3988 wrote to memory of 1540 3988 igfxpk32.exe 90 PID 1540 wrote to memory of 2576 1540 igfxpk32.exe 91 PID 1540 wrote to memory of 2576 1540 igfxpk32.exe 91 PID 1540 wrote to memory of 2576 1540 igfxpk32.exe 91 PID 2576 wrote to memory of 2060 2576 igfxpk32.exe 92 PID 2576 wrote to memory of 2060 2576 igfxpk32.exe 92 PID 2576 wrote to memory of 2060 2576 igfxpk32.exe 92 PID 2576 wrote to memory of 2060 2576 igfxpk32.exe 92 PID 2576 wrote to memory of 2060 2576 igfxpk32.exe 92 PID 2576 wrote to memory of 2060 2576 igfxpk32.exe 92 PID 2576 wrote to memory of 2060 2576 igfxpk32.exe 92 PID 2060 wrote to memory of 4532 2060 igfxpk32.exe 93 PID 2060 wrote to memory of 4532 2060 igfxpk32.exe 93 PID 2060 wrote to memory of 4532 2060 igfxpk32.exe 93 PID 4532 wrote to memory of 2936 4532 igfxpk32.exe 96 PID 4532 wrote to memory of 2936 4532 igfxpk32.exe 96 PID 4532 wrote to memory of 2936 4532 igfxpk32.exe 96 PID 4532 wrote to memory of 2936 4532 igfxpk32.exe 96 PID 4532 wrote to memory of 2936 4532 igfxpk32.exe 96 PID 4532 wrote to memory of 2936 4532 igfxpk32.exe 96 PID 4532 wrote to memory of 2936 4532 igfxpk32.exe 96 PID 2936 wrote to memory of 4588 2936 igfxpk32.exe 98 PID 2936 wrote to memory of 4588 2936 igfxpk32.exe 98 PID 2936 wrote to memory of 4588 2936 igfxpk32.exe 98 PID 4588 wrote to memory of 2428 4588 igfxpk32.exe 102 PID 4588 wrote to memory of 2428 4588 igfxpk32.exe 102 PID 4588 wrote to memory of 2428 4588 igfxpk32.exe 102 PID 4588 wrote to memory of 2428 4588 igfxpk32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffd4bab349d0e0b144a37f0a58fdb2cf_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\FFD4BA~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\FFD4BA~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3532 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3576 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4744 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4472 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3712 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3124 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4380 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2764 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe35⤵
- Executes dropped EXE
PID:4464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5ffd4bab349d0e0b144a37f0a58fdb2cf
SHA1d183c443613907425c0dc817e84c8eed28264f5c
SHA256243e79f0ebde6e3baa2bf90e9f2fba20a40eb767476c1d35c30835dec3d7a5a9
SHA51282c9e100757ea7e36a0bb470e9a6952b129a0ef231587d8f25d5d25c3f1250393fa4c54d4c4a135eaecd4ae9ea9f01864121e0705920713cad2f09e26c77abb8