Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 19:49
Static task
static1
Behavioral task
behavioral1
Sample
3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe
-
Size
124KB
-
MD5
3ea6b1dbfe89146e7fa0fdc935af4b2b
-
SHA1
a90820150dd19ba9ff2cce95ea738067a08be131
-
SHA256
cd5f0e40fba2d2500c0eae95c313c56e530fa0f118a20682cc66dca1dc367666
-
SHA512
67e8a1c4dc3bb9e0ac97f8307d2db33c83e9902b00eb5be1093172604edd50d19bae936d1e37825fe78a6d1a2a3b0177995f8153e4d823c01be0cd5061008e04
-
SSDEEP
3072:eFZp65wa4mgj+zUGnIKCAu8wDC66hYjBRJPPD+pkoUWhG0r9:yZpmsj9ifPPXhU/JPL+X00
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process File created C:\Windows\system32\spool\PRTPROCS\x64\YWS1eI3.dll 3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe File opened for modification C:\Windows\system32\spool\PRTPROCS\x64\YWS1eI3.dll 3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\spool\PRTPROCS\x64\YWS1eI3.dll 3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe File created C:\Windows\system32\spool\PRTPROCS\x64\YWS1eI3.dll 3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2072 3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ea6b1dbfe89146e7fa0fdc935af4b2b_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
PID:2072