eternity | 1b0c54e9fb3841917d4b392ecfc8b4aa039f00b04684cc141a718b022493ccea

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
Size

4.8MB
MD5

2f95069e8373f2b35e59e6d6bd71e1d0
SHA1

fcbe39d44aee26450619bdffb671513e1296a283
SHA256

1b0c54e9fb3841917d4b392ecfc8b4aa039f00b04684cc141a718b022493ccea
SHA512

9ef838114a8cdbaa8e06bf9a0b45adc2047b9ce3e7c87cd6e87ee2133bdc07498b9ee8aa0f63a7f7412ef7d31f8837f63e6935c7bfd15ec6673f6f41f386ca48
SSDEEP

98304:7rONEVJyZlng4p2VbC2FQD9PvsXDW2stC5mn:SEVcn1pYFQDZcWXtC5

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1940-1-0x00000000000B0000-0x000000000056C000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
912	Extreme Injector v3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
Token: SeDebugPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: SeDebugPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	912	Extreme Injector v3.exe
Token: 33	912	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 912	1940	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	86
PID 1940 wrote to memory of 912	1940	2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f95069e8373f2b35e59e6d6bd71e1d0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\vecvhw1i.2a3\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Local\Temp\vecvhw1i.2a3\Extreme Injector v3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vecvhw1i.2a3\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
memory/912-23-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/912-30-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/912-29-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/912-22-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/912-28-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/912-25-0x000000001DCA0000-0x000000001DCDC000-memory.dmp

Filesize
240KB

Download
memory/912-24-0x000000001DC40000-0x000000001DC52000-memory.dmp

Filesize
72KB

Download
memory/912-18-0x0000000000640000-0x0000000000826000-memory.dmp

Filesize
1.9MB

Download
memory/1940-1-0x00000000000B0000-0x000000000056C000-memory.dmp

Filesize
4.7MB

Download
memory/1940-3-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/1940-4-0x000000001B380000-0x000000001B59E000-memory.dmp

Filesize
2.1MB

Download
memory/1940-0-0x00007FFD99F73000-0x00007FFD99F75000-memory.dmp

Filesize
8KB

Download
memory/1940-19-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/1940-2-0x000000001B020000-0x000000001B070000-memory.dmp

Filesize
320KB

Download
memory/1940-26-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/1940-6-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/1940-21-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download
memory/1940-20-0x00007FFD99F70000-0x00007FFD9AA31000-memory.dmp

Filesize
10.8MB

Download