a74bf22e47c20c78518b9af30bf27f0d2fd44da2dbfb2f9c1a377298e91f31a0

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe
Size

28KB
MD5

48e60a9ca7d86276d242e1281a0051e2
SHA1

512fb797deec1dd4e6f132879b3df96e26d836f7
SHA256

a74bf22e47c20c78518b9af30bf27f0d2fd44da2dbfb2f9c1a377298e91f31a0
SHA512

08a6841fe68ee9363d74544c1b4178a18663c69799b1c34c89d51f3967ba5e1095d3f00415121486ef4fe9fae483d49efd1ea910a289e56ce7c804fab30d986f
SSDEEP

384:T75JH9HFE7kv3Fhm0aP/iT8BB2onW5wfnRcB3OQ8E03HJAeWzFUKZa:3E7Ozm038vnWgnRcBeQ8rCzpUKk

Score

7^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File created	C:\Windows\system32\spool\PRTPROCS\x64\xY3cE93kUO.dll	48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xY3cE93kUO.dll	48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xY3cE93kUO.dll	48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe
File created	C:\Windows\system32\spool\PRTPROCS\x64\xY3cE93kUO.dll	48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1740	48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48e60a9ca7d86276d242e1281a0051e2_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads