7898b6cc8fbb7bbb477e563fe950aafb0b36e8ffcd6c34ebc21f15b7802b40f0

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98dcdb4e8828ac45c70fc8987e9808a_JaffaCakes118.exe
Size

1.1MB
MD5

f98dcdb4e8828ac45c70fc8987e9808a
SHA1

f05b3b7ab781a33b3fcc4ecf97fc20a40e4d7200
SHA256

7898b6cc8fbb7bbb477e563fe950aafb0b36e8ffcd6c34ebc21f15b7802b40f0
SHA512

8b6126a2eb58ab51cba5c1699e8c21bc7f1856761f9699279360a5059e2d1eaafdf5162cfda50c0918e7682aa9f6c36c3bfa9bd905480d0e5674eef0fe329084
SSDEEP

24576:YFJDqRTJwr3rVrthcIF4gN8BoYU/qPYWSAClp:Q/vzhcI96tPYWcb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3472	DomaIQ10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3248	dw20.exe
Token: SeBackupPrivilege	3248	dw20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3472	DomaIQ10.exe
3472	DomaIQ10.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3472	5036	f98dcdb4e8828ac45c70fc8987e9808a_JaffaCakes118.exe	86
PID 5036 wrote to memory of 3472	5036	f98dcdb4e8828ac45c70fc8987e9808a_JaffaCakes118.exe	86
PID 3472 wrote to memory of 3248	3472	DomaIQ10.exe	87
PID 3472 wrote to memory of 3248	3472	DomaIQ10.exe	87

C:\Users\Admin\AppData\Local\Temp\f98dcdb4e8828ac45c70fc8987e9808a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f98dcdb4e8828ac45c70fc8987e9808a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\DIQ\winamp_027\DomaIQ10.exe
  C:\Users\Admin\AppData\Local\Temp\DIQ\winamp_027\DomaIQ10.exe /path="C:\Users\Admin\AppData\Local\Temp\f98dcdb4e8828ac45c70fc8987e9808a_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1288
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DIQ\winamp_027\DomaIQ10.exe

Filesize
342KB

MD5
fb89f7aec7eee5da3d46020e97dbd456

SHA1
6139d0a11e839d6d8ebed7b705f066ce8d01b82c

SHA256
708a36fb9ac327e54d7e38fd2ee663638a79067edd335526554aeee36ff71510

SHA512
4a9d79d34f94ea7fd481b27d552d3f33fafead909b7b4d50b82a06eaa3f3ef1f66c48ab193b5004ff21f1c185fb9b01e94160a7983c1232094671e6629e69efa

Download Submit
memory/3472-9-0x00007FF9698D0000-0x00007FF96A271000-memory.dmp

Filesize
9.6MB

Download
memory/3472-10-0x00007FF9698D0000-0x00007FF96A271000-memory.dmp

Filesize
9.6MB

Download
memory/3472-11-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3472-12-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/3472-13-0x000000001BE00000-0x000000001C2CE000-memory.dmp

Filesize
4.8MB

Download
memory/3472-14-0x000000001BAD0000-0x000000001BB6C000-memory.dmp

Filesize
624KB

Download
memory/3472-15-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/3472-16-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3472-17-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3472-18-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3472-19-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3472-26-0x00007FF9698D0000-0x00007FF96A271000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads