689669a16d8867e85a38979ff0b3cdb058cc5a97a1b8ad62fcfadf0640a429ae

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5ef171b81407406673ffc25fb88ed05_JaffaCakes118.exe
Size

115KB
MD5

d5ef171b81407406673ffc25fb88ed05
SHA1

b56138729fe47f9b60caf37064d96138b8631a37
SHA256

689669a16d8867e85a38979ff0b3cdb058cc5a97a1b8ad62fcfadf0640a429ae
SHA512

74d4ec169d26206702d8e1282774d03da0a805e0757a3a58abeb0f1634af662ee7c3653465243eb55e48eedae37a37bcbee685b6f4c3a9462032e0f2ddbc398e
SSDEEP

3072:SGaK4XabO7xlI8r9iJw7AzAAn/6asu1TUybroaUKZt:MpCzAiAu14yfoFKZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xq79c1s.dll	d5ef171b81407406673ffc25fb88ed05_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
292	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xq79c1s.dll	d5ef171b81407406673ffc25fb88ed05_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5ef171b81407406673ffc25fb88ed05_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d5ef171b81407406673ffc25fb88ed05_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5ef171b81407406673ffc25fb88ed05_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\System32\spool\prtprocs\x64\xq79c1s.dll

Filesize
9KB

MD5
51760d218f943679226ee3911fdcbe3f

SHA1
087578a172e97beec34a2957ddf665123f4addb8

SHA256
281a47fbcf4581a8e632b78e297471487ef8619fcc4d5611b3976c92332b2fb2

SHA512
283bccec29a0bf71d063f03729e920f70daa52258375963746de7182c0acf42ad886ec764f81c8c43521de02391c4fa267b49295d87584e58d46d5b77f3e92da

Download Submit
memory/1016-1-0x00000000772B0000-0x00000000772B1000-memory.dmp

Filesize
4KB

Download
memory/1016-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1016-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads