bdd58f4fc497bff11930ccfc74cf08ae8d2c9937b87dadc7da2e361425c65ffc

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 11:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b76af86a8f2407f11ecd4877274917b8_JaffaCakes118.exe
Size

115KB
MD5

b76af86a8f2407f11ecd4877274917b8
SHA1

ebb30849c70022d965b767a269d16d9040d926da
SHA256

bdd58f4fc497bff11930ccfc74cf08ae8d2c9937b87dadc7da2e361425c65ffc
SHA512

49a1cf8d6a4d646b9d593bd42101ac5c23b330ee93ea67d5c84215ebf5f959559f88c88dff2e6c2c055e8c1af54118c9700f841b561add94637b6a1f14ec1f69
SSDEEP

3072:PGaK4XabO7xlI8r9iJw7AzAAn/6asu1TUybroaUKZt:BpCzAiAu14yfoFKZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xgMY5c.dll	b76af86a8f2407f11ecd4877274917b8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1040	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xgMY5c.dll	b76af86a8f2407f11ecd4877274917b8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b76af86a8f2407f11ecd4877274917b8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b76af86a8f2407f11ecd4877274917b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b76af86a8f2407f11ecd4877274917b8_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\System32\spool\prtprocs\x64\xgMY5c.dll

Filesize
9KB

MD5
5ab014e21ac112c435e10d83da8e7913

SHA1
79f7fc1c7858a0d9b23db5abac37fdcfd8ba2d9b

SHA256
ef9a9992310c1384c353d4a10d73d451263f1df52c6b67e6286f3f87392920e0

SHA512
a41aab5d3e4ebd4e09725834cc330c386fceda669aa25f1398133111bb8443bb7d13d6738610b945c163fb0905c78556ef1d857e26b44f7bd41bf52ad2acd98f

Download Submit
memory/2924-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2924-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads