63aa0b76188e252c468fda0a680348cb7fb8e46ab593f8b5f566e6baa191f530

Analysis

max time kernel
111s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaafc2317a215bbabdfa01fdc1e6cb2c_JaffaCakes118.exe
Size

115KB
MD5

eaafc2317a215bbabdfa01fdc1e6cb2c
SHA1

10feff2ec25d009149322ed9ca5c6b7a18bb8434
SHA256

63aa0b76188e252c468fda0a680348cb7fb8e46ab593f8b5f566e6baa191f530
SHA512

ac1ff1642e58a487d33a0dd83b0fc0c7b25f7199ca3243f71abd68e81443ac8fae6949d58049872bee283856b6f0c82d6d103d509ff7a35d7528694280d40c6c
SSDEEP

3072:/GaK4XabO7xlI8r9iJw7AzAAn/6asu1TUybroaUKZt:xpCzAiAu14yfoFKZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xq79317.dll	eaafc2317a215bbabdfa01fdc1e6cb2c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
272	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xq79317.dll	eaafc2317a215bbabdfa01fdc1e6cb2c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaafc2317a215bbabdfa01fdc1e6cb2c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eaafc2317a215bbabdfa01fdc1e6cb2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaafc2317a215bbabdfa01fdc1e6cb2c_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\System32\spool\prtprocs\x64\xq79317.dll

Filesize
9KB

MD5
bf50e54394b0e6d953a1cd223559830d

SHA1
80f4a61b3efdfc281e32a3fd1177e6bda9005722

SHA256
2b2e153954403e2f5bd5dfafe8e9617e35225b5c036de8f17deccf67f9b0f125

SHA512
054b66e58c267f39eb204a435273116fc98c09f7b718c2e48f0ec9abdc26f66189f95b7e034e0c3998cca4628c0d08eec22848648e71eb5a5b448eb108b4c5ae

Download Submit
memory/1840-0-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1840-1-0x0000000077BE0000-0x0000000077BE1000-memory.dmp

Filesize
4KB

Download
memory/1840-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads