Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2025 03:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
General
-
Target
JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe
-
Size
718KB
-
MD5
b24fe9f75a54f69e549e663955428014
-
SHA1
903a55a40827c4ec9d171b2acb5e372e42fcccfb
-
SHA256
44c8432c6320b43a0d6020ead65ad2f218931c7038969702a0ffbfa862b65c61
-
SHA512
4e73ff762270f379bd21c6aae7e39f1f871390ea34585380b0517507931d425608d36271ce459e5767499cf0df91a6698b866fa1644ad9a088f2695ed3b6d825
-
SSDEEP
12288:2hcW7U/HYD5q7c/WCMHV2+awfiIHicRN0Dc9loeXDhOWy:2hc2q4VqY+zU+zLKIlLhOR
Malware Config
Signatures
-
Darkcomet family
-
Hawkeye family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation igfpers.exe -
Deletes itself 1 IoCs
pid Process 1332 explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA User Experience Driver Component = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\igfpers.exe" igfpers.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1332 set thread context of 5084 1332 explorer.exe 87 PID 4764 set thread context of 1104 4764 sqlserver.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqlserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfpers.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe 3636 igfpers.exe 4764 sqlserver.exe 1332 explorer.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 2584 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe Token: SeDebugPrivilege 1332 explorer.exe Token: SeIncreaseQuotaPrivilege 5084 AppLaunch.exe Token: SeSecurityPrivilege 5084 AppLaunch.exe Token: SeTakeOwnershipPrivilege 5084 AppLaunch.exe Token: SeLoadDriverPrivilege 5084 AppLaunch.exe Token: SeSystemProfilePrivilege 5084 AppLaunch.exe Token: SeSystemtimePrivilege 5084 AppLaunch.exe Token: SeProfSingleProcessPrivilege 5084 AppLaunch.exe Token: SeIncBasePriorityPrivilege 5084 AppLaunch.exe Token: SeCreatePagefilePrivilege 5084 AppLaunch.exe Token: SeBackupPrivilege 5084 AppLaunch.exe Token: SeRestorePrivilege 5084 AppLaunch.exe Token: SeShutdownPrivilege 5084 AppLaunch.exe Token: SeDebugPrivilege 5084 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 5084 AppLaunch.exe Token: SeChangeNotifyPrivilege 5084 AppLaunch.exe Token: SeRemoteShutdownPrivilege 5084 AppLaunch.exe Token: SeUndockPrivilege 5084 AppLaunch.exe Token: SeManageVolumePrivilege 5084 AppLaunch.exe Token: SeImpersonatePrivilege 5084 AppLaunch.exe Token: SeCreateGlobalPrivilege 5084 AppLaunch.exe Token: 33 5084 AppLaunch.exe Token: 34 5084 AppLaunch.exe Token: 35 5084 AppLaunch.exe Token: 36 5084 AppLaunch.exe Token: SeDebugPrivilege 3636 igfpers.exe Token: SeDebugPrivilege 4764 sqlserver.exe Token: SeIncreaseQuotaPrivilege 1104 AppLaunch.exe Token: SeSecurityPrivilege 1104 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1104 AppLaunch.exe Token: SeLoadDriverPrivilege 1104 AppLaunch.exe Token: SeSystemProfilePrivilege 1104 AppLaunch.exe Token: SeSystemtimePrivilege 1104 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1104 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1104 AppLaunch.exe Token: SeCreatePagefilePrivilege 1104 AppLaunch.exe Token: SeBackupPrivilege 1104 AppLaunch.exe Token: SeRestorePrivilege 1104 AppLaunch.exe Token: SeShutdownPrivilege 1104 AppLaunch.exe Token: SeDebugPrivilege 1104 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1104 AppLaunch.exe Token: SeChangeNotifyPrivilege 1104 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1104 AppLaunch.exe Token: SeUndockPrivilege 1104 AppLaunch.exe Token: SeManageVolumePrivilege 1104 AppLaunch.exe Token: SeImpersonatePrivilege 1104 AppLaunch.exe Token: SeCreateGlobalPrivilege 1104 AppLaunch.exe Token: 33 1104 AppLaunch.exe Token: 34 1104 AppLaunch.exe Token: 35 1104 AppLaunch.exe Token: 36 1104 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5084 AppLaunch.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2584 wrote to memory of 1332 2584 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 86 PID 2584 wrote to memory of 1332 2584 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 86 PID 2584 wrote to memory of 1332 2584 JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe 86 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 5084 1332 explorer.exe 87 PID 1332 wrote to memory of 3636 1332 explorer.exe 88 PID 1332 wrote to memory of 3636 1332 explorer.exe 88 PID 1332 wrote to memory of 3636 1332 explorer.exe 88 PID 3636 wrote to memory of 4764 3636 igfpers.exe 89 PID 3636 wrote to memory of 4764 3636 igfpers.exe 89 PID 3636 wrote to memory of 4764 3636 igfpers.exe 89 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90 PID 4764 wrote to memory of 1104 4764 sqlserver.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b24fe9f75a54f69e549e663955428014.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe"C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe"C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD58c381b88e633b152ed7a1205cbff748a
SHA136a1ee7236de78747f0ce1e7fcbbbf1bccb844e2
SHA256ed6cfd5c7b306ffe6f3bdeb7d7011e6fe9ce592006b28d2f4b683148b4b2a8ca
SHA5129574e44f14add7b35fe43a4736bb5cd4c7bee207350b47504328d3ac939b2c050feffb248fccc9188c2f0c04d348c3b62a447ab8cbaa16f1b570d86f4def7ecd
-
Filesize
36KB
MD53947d1ec4b3921ee45dc615cdb41289a
SHA1050df6cda2476da1f7f1594985b6add5ccf51d02
SHA256c1facc2d77e87d8210e74029e639b05dd7482aa2b1eb2e7cc7699ec45aa96b71
SHA51203313943fe821fbf5b099a9fa329f9f2fce8489bb48084c40ac852fa20e9d685aeaad26888e88791f66f477ac04dc0db318344eed7c81b7062cddb2f497bc333
-
Filesize
718KB
MD5b24fe9f75a54f69e549e663955428014
SHA1903a55a40827c4ec9d171b2acb5e372e42fcccfb
SHA25644c8432c6320b43a0d6020ead65ad2f218931c7038969702a0ffbfa862b65c61
SHA5124e73ff762270f379bd21c6aae7e39f1f871390ea34585380b0517507931d425608d36271ce459e5767499cf0df91a6698b866fa1644ad9a088f2695ed3b6d825