ad5b8a848bcf13ced28fc596d10c5a4806166e44088ab0cb6730ab048f477001

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86166e34b556f20265b88c144152b94a_JaffaCakes118.exe
Size

80KB
MD5

86166e34b556f20265b88c144152b94a
SHA1

621976037eb4db0b7324f95550947ca80a318163
SHA256

ad5b8a848bcf13ced28fc596d10c5a4806166e44088ab0cb6730ab048f477001
SHA512

f998321c44b7b4590da1b9aee337bb4740fac6a2d4e9546789b43a92b59e4fc42066fb05dfd2d0693ed458f778e51c58eeec7792eda2bef8c88ac93b06cb710d
SSDEEP

1536:I0DPHv8U7V3i7wWFzWtdkQPTDER74qc5iNCfV2iRk7Lf:JDfv86Ji8gITIxk3fVA7

Score

7^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\3218.tmp	86166e34b556f20265b88c144152b94a_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\3218.tmp	86166e34b556f20265b88c144152b94a_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3040	86166e34b556f20265b88c144152b94a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3040	86166e34b556f20265b88c144152b94a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\86166e34b556f20265b88c144152b94a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86166e34b556f20265b88c144152b94a_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-0-0x0000000000820000-0x0000000000837000-memory.dmp

Filesize
92KB

Download
memory/3040-6-0x0000000000270000-0x0000000000287000-memory.dmp

Filesize
92KB

Download
memory/3040-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads