Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-02-2025 03:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
General
-
Target
JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe
-
Size
718KB
-
MD5
b24fe9f75a54f69e549e663955428014
-
SHA1
903a55a40827c4ec9d171b2acb5e372e42fcccfb
-
SHA256
44c8432c6320b43a0d6020ead65ad2f218931c7038969702a0ffbfa862b65c61
-
SHA512
4e73ff762270f379bd21c6aae7e39f1f871390ea34585380b0517507931d425608d36271ce459e5767499cf0df91a6698b866fa1644ad9a088f2695ed3b6d825
-
SSDEEP
12288:2hcW7U/HYD5q7c/WCMHV2+awfiIHicRN0Dc9loeXDhOWy:2hc2q4VqY+zU+zLKIlLhOR
Malware Config
Signatures
-
Darkcomet family
-
Hawkeye family
-
Deletes itself 1 IoCs
pid Process 2404 explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe -
Loads dropped DLL 6 IoCs
pid Process 2192 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 2192 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 2404 explorer.exe 2404 explorer.exe 2648 igfpers.exe 2648 igfpers.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA User Experience Driver Component = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\igfpers.exe" igfpers.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2404 set thread context of 2720 2404 explorer.exe 31 PID 2676 set thread context of 2664 2676 sqlserver.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqlserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe 2648 igfpers.exe 2676 sqlserver.exe 2404 explorer.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2192 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe Token: SeDebugPrivilege 2404 explorer.exe Token: SeIncreaseQuotaPrivilege 2720 AppLaunch.exe Token: SeSecurityPrivilege 2720 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2720 AppLaunch.exe Token: SeLoadDriverPrivilege 2720 AppLaunch.exe Token: SeSystemProfilePrivilege 2720 AppLaunch.exe Token: SeSystemtimePrivilege 2720 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2720 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2720 AppLaunch.exe Token: SeCreatePagefilePrivilege 2720 AppLaunch.exe Token: SeBackupPrivilege 2720 AppLaunch.exe Token: SeRestorePrivilege 2720 AppLaunch.exe Token: SeShutdownPrivilege 2720 AppLaunch.exe Token: SeDebugPrivilege 2720 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2720 AppLaunch.exe Token: SeChangeNotifyPrivilege 2720 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2720 AppLaunch.exe Token: SeUndockPrivilege 2720 AppLaunch.exe Token: SeManageVolumePrivilege 2720 AppLaunch.exe Token: SeImpersonatePrivilege 2720 AppLaunch.exe Token: SeCreateGlobalPrivilege 2720 AppLaunch.exe Token: 33 2720 AppLaunch.exe Token: 34 2720 AppLaunch.exe Token: 35 2720 AppLaunch.exe Token: SeDebugPrivilege 2648 igfpers.exe Token: SeDebugPrivilege 2676 sqlserver.exe Token: SeIncreaseQuotaPrivilege 2664 AppLaunch.exe Token: SeSecurityPrivilege 2664 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2664 AppLaunch.exe Token: SeLoadDriverPrivilege 2664 AppLaunch.exe Token: SeSystemProfilePrivilege 2664 AppLaunch.exe Token: SeSystemtimePrivilege 2664 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2664 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2664 AppLaunch.exe Token: SeCreatePagefilePrivilege 2664 AppLaunch.exe Token: SeBackupPrivilege 2664 AppLaunch.exe Token: SeRestorePrivilege 2664 AppLaunch.exe Token: SeShutdownPrivilege 2664 AppLaunch.exe Token: SeDebugPrivilege 2664 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2664 AppLaunch.exe Token: SeChangeNotifyPrivilege 2664 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2664 AppLaunch.exe Token: SeUndockPrivilege 2664 AppLaunch.exe Token: SeManageVolumePrivilege 2664 AppLaunch.exe Token: SeImpersonatePrivilege 2664 AppLaunch.exe Token: SeCreateGlobalPrivilege 2664 AppLaunch.exe Token: 33 2664 AppLaunch.exe Token: 34 2664 AppLaunch.exe Token: 35 2664 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2720 AppLaunch.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2404 2192 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 30 PID 2192 wrote to memory of 2404 2192 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 30 PID 2192 wrote to memory of 2404 2192 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 30 PID 2192 wrote to memory of 2404 2192 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 30 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2720 2404 explorer.exe 31 PID 2404 wrote to memory of 2648 2404 explorer.exe 32 PID 2404 wrote to memory of 2648 2404 explorer.exe 32 PID 2404 wrote to memory of 2648 2404 explorer.exe 32 PID 2404 wrote to memory of 2648 2404 explorer.exe 32 PID 2648 wrote to memory of 2676 2648 igfpers.exe 33 PID 2648 wrote to memory of 2676 2648 igfpers.exe 33 PID 2648 wrote to memory of 2676 2648 igfpers.exe 33 PID 2648 wrote to memory of 2676 2648 igfpers.exe 33 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34 PID 2676 wrote to memory of 2664 2676 sqlserver.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe"C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe"C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD58c381b88e633b152ed7a1205cbff748a
SHA136a1ee7236de78747f0ce1e7fcbbbf1bccb844e2
SHA256ed6cfd5c7b306ffe6f3bdeb7d7011e6fe9ce592006b28d2f4b683148b4b2a8ca
SHA5129574e44f14add7b35fe43a4736bb5cd4c7bee207350b47504328d3ac939b2c050feffb248fccc9188c2f0c04d348c3b62a447ab8cbaa16f1b570d86f4def7ecd
-
Filesize
36KB
MD53947d1ec4b3921ee45dc615cdb41289a
SHA1050df6cda2476da1f7f1594985b6add5ccf51d02
SHA256c1facc2d77e87d8210e74029e639b05dd7482aa2b1eb2e7cc7699ec45aa96b71
SHA51203313943fe821fbf5b099a9fa329f9f2fce8489bb48084c40ac852fa20e9d685aeaad26888e88791f66f477ac04dc0db318344eed7c81b7062cddb2f497bc333
-
Filesize
718KB
MD5b24fe9f75a54f69e549e663955428014
SHA1903a55a40827c4ec9d171b2acb5e372e42fcccfb
SHA25644c8432c6320b43a0d6020ead65ad2f218931c7038969702a0ffbfa862b65c61
SHA5124e73ff762270f379bd21c6aae7e39f1f871390ea34585380b0517507931d425608d36271ce459e5767499cf0df91a6698b866fa1644ad9a088f2695ed3b6d825