d0c1004d49d15ad858e16a326fedb4784282d0c80a80675585f8e8f0f56b2fae

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2014029cd2880dc129e3da360556231_JaffaCakes118.exe
Size

851KB
MD5

a2014029cd2880dc129e3da360556231
SHA1

49d2648820cb49b673f693be778cae0619a1355d
SHA256

d0c1004d49d15ad858e16a326fedb4784282d0c80a80675585f8e8f0f56b2fae
SHA512

32398cfe40bd0bb765f8bb0eb28133c0e1764ba382f4bed4e84d00c9a1eaa53286209887239348f287418567694a4c48a084924c0aeb148c49012f0254605aaa
SSDEEP

24576:kTwkYiYDMozoEcgHjhg/HNoE/vH+rOBbBB:kTwktYDQ2jLAH+rOxBB

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3076	dw20.exe
Token: SeBackupPrivilege	3076	dw20.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3076	3012	a2014029cd2880dc129e3da360556231_JaffaCakes118.exe	85
PID 3012 wrote to memory of 3076	3012	a2014029cd2880dc129e3da360556231_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\a2014029cd2880dc129e3da360556231_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2014029cd2880dc129e3da360556231_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 812
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3012-0-0x00007FF9A8D55000-0x00007FF9A8D56000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x00007FF9A8AA0000-0x00007FF9A9441000-memory.dmp

Filesize
9.6MB

Download
memory/3012-2-0x000000001BBA0000-0x000000001BBE0000-memory.dmp

Filesize
256KB

Download
memory/3012-4-0x00007FF9A8AA0000-0x00007FF9A9441000-memory.dmp

Filesize
9.6MB

Download
memory/3012-3-0x000000001BD00000-0x000000001BDA6000-memory.dmp

Filesize
664KB

Download
memory/3012-5-0x000000001C280000-0x000000001C74E000-memory.dmp

Filesize
4.8MB

Download
memory/3012-12-0x00007FF9A8AA0000-0x00007FF9A9441000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads