400ac1638afa04623eb1c9348938457d69288d51ee9cd2e85d8ff35d6b50844b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac7708ade63c4134f5a485256efa4be_JaffaCakes118.exe
Size

55KB
MD5

eac7708ade63c4134f5a485256efa4be
SHA1

5fb8aaf18c2ad459e73022cdb8d32ba15d964aba
SHA256

400ac1638afa04623eb1c9348938457d69288d51ee9cd2e85d8ff35d6b50844b
SHA512

19e1e312711c3f6854637fcc99b790416f93d444338bd16b4340aa4054f844e2774443fa55eb2e2db13f44ae2983ee97998dcf0e33208265577e0f0755b3ef19
SSDEEP

1536:nwT3m7s5Wrkuz6rRmlu4gk7IjXqJbvzNQ1m3xI:nwTAs5WQuyk7iXwLN62I

Score

7^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xaAAAAA.dll	eac7708ade63c4134f5a485256efa4be_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\xaAAAAA.dll	eac7708ade63c4134f5a485256efa4be_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac7708ade63c4134f5a485256efa4be_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eac7708ade63c4134f5a485256efa4be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac7708ade63c4134f5a485256efa4be_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\spool\prtprocs\x64\xaAAAAA.dll

Filesize
9KB

MD5
3022a4133a3aeb63469d0d6622166f62

SHA1
9f6ce857c7cc3ce056ef535d0ef0955e43722c86

SHA256
b91c677e48439538bae66abd5f059aa035cc4bf6dd1f6692f1c1c9d353511f2d

SHA512
4a61883c279d3d57f09d81a87c9c5ceff8a3690ac00be3e761c4da73d06df5564f6e50a1783cac2888d67c34fd97c80414c8512c38978a36ab8e59286d47748e

Download Submit
memory/220-0-0x0000000002160000-0x0000000002163000-memory.dmp

Filesize
12KB

Download
memory/220-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads