c3ce83b231862167451915781f1c9c3e5f776ce6d0bf833d5222a11c68b89a3a

Analysis

max time kernel
93s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fe27a7228cd9916c54f74466d45a84a_JaffaCakes118.exe
Size

216KB
MD5

2fe27a7228cd9916c54f74466d45a84a
SHA1

262b9b1e6aefe9184f1dc3ede0d9f3fce343c4ea
SHA256

c3ce83b231862167451915781f1c9c3e5f776ce6d0bf833d5222a11c68b89a3a
SHA512

08a1c9ce7d81a25e737c681485d84d64bf3402be9092716d956d21ceb02d335b1df3b1311e3250faa3ebdd0c8380e6f28d0b6a261dd004c411a9370bf9de7257
SSDEEP

3072:0kqxP0eH76qHjnak+YYEIZH2ZUJ5s900IhR3cTV5E:0kqJQqHjavYRIBLsa0CRsZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\2409606.tmp	2fe27a7228cd9916c54f74466d45a84a_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\2409606.tmp	2fe27a7228cd9916c54f74466d45a84a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fe27a7228cd9916c54f74466d45a84a_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2472	2fe27a7228cd9916c54f74466d45a84a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2fe27a7228cd9916c54f74466d45a84a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fe27a7228cd9916c54f74466d45a84a_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2472-0-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2472-1-0x0000000002200000-0x000000000221B000-memory.dmp

Filesize
108KB

Download
memory/2472-2-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2472-3-0x0000000000402000-0x000000000047B000-memory.dmp

Filesize
484KB

Download
memory/2472-11-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2472-10-0x0000000002200000-0x000000000221B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads