eternity | 1b0c54e9fb3841917d4b392ecfc8b4aa039f00b04684cc141a718b022493ccea

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
Size

4.8MB
MD5

2f95069e8373f2b35e59e6d6bd71e1d0
SHA1

fcbe39d44aee26450619bdffb671513e1296a283
SHA256

1b0c54e9fb3841917d4b392ecfc8b4aa039f00b04684cc141a718b022493ccea
SHA512

9ef838114a8cdbaa8e06bf9a0b45adc2047b9ce3e7c87cd6e87ee2133bdc07498b9ee8aa0f63a7f7412ef7d31f8837f63e6935c7bfd15ec6673f6f41f386ca48
SSDEEP

98304:7rONEVJyZlng4p2VbC2FQD9PvsXDW2stC5mn:SEVcn1pYFQDZcWXtC5

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2328-1-0x0000000000030000-0x00000000004EC000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	Extreme Injector v3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
Token: SeDebugPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: SeDebugPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2276	Extreme Injector v3.exe
Token: 33	2276	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2288	2328	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2288	2328	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2288	2328	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2276	2328	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2276	2328	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2276	2328	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2328 -s 1180
  2⤵
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\o3rrodhq.ynf\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Local\Temp\o3rrodhq.ynf\Extreme Injector v3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\o3rrodhq.ynf\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
memory/2276-14-0x00000000012A0000-0x0000000001486000-memory.dmp

Filesize
1.9MB

Download
memory/2276-13-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-29-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-28-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-27-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-26-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-30-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-22-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-31-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-15-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-17-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-25-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-24-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-20-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-21-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-6-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-23-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-19-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-18-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

Filesize
4KB

Download
memory/2328-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-4-0x000000001BA20000-0x000000001BC3E000-memory.dmp

Filesize
2.1MB

Download
memory/2328-3-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-2-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-1-0x0000000000030000-0x00000000004EC000-memory.dmp

Filesize
4.7MB

Download