71c1fdba1d92a6a5fd0e5326b864939bcf071dcad72a9b134f8ce28a4cdb86bf

Analysis

max time kernel
137s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
Size

70KB
MD5

43b16cd3ee1d5dd38bf4049ebc1363b9
SHA1

5fc479406b5ccde8ada4974130c575423a6d385b
SHA256

71c1fdba1d92a6a5fd0e5326b864939bcf071dcad72a9b134f8ce28a4cdb86bf
SHA512

7d594324c4ed293c02d5681f26239f96a550ae8bea7785377cfbe91f4b085eddb7c3d9d71d96ac8542f567f60337346e44107f4efae29c9e4ba91e06d32cb217
SSDEEP

1536:VxfbiHGRDMxK/lZj4iUw4O0apKIvOAP5xBiXTewThSWPrS2Lf5uRR:VlmmRQ2ZjExYpxwaQ0n2D5YR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2424	winzm.exe
2712	winzm.exe
2928	winzm.exe
1848	winzm.exe
2780	winzm.exe
668	winzm.exe
776	winzm.exe
2140	winzm.exe
2168	winzm.exe
2060	winzm.exe

Loads dropped DLL 20 IoCs

pid	Process
2860	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
2860	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
2424	winzm.exe
2424	winzm.exe
2712	winzm.exe
2712	winzm.exe
2928	winzm.exe
2928	winzm.exe
1848	winzm.exe
1848	winzm.exe
2780	winzm.exe
2780	winzm.exe
668	winzm.exe
668	winzm.exe
776	winzm.exe
776	winzm.exe
2140	winzm.exe
2140	winzm.exe
2168	winzm.exe
2168	winzm.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2424	2860	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2424	2860	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2424	2860	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2424	2860	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2712	2424	winzm.exe	31
PID 2424 wrote to memory of 2712	2424	winzm.exe	31
PID 2424 wrote to memory of 2712	2424	winzm.exe	31
PID 2424 wrote to memory of 2712	2424	winzm.exe	31
PID 2712 wrote to memory of 2928	2712	winzm.exe	33
PID 2712 wrote to memory of 2928	2712	winzm.exe	33
PID 2712 wrote to memory of 2928	2712	winzm.exe	33
PID 2712 wrote to memory of 2928	2712	winzm.exe	33
PID 2928 wrote to memory of 1848	2928	winzm.exe	34
PID 2928 wrote to memory of 1848	2928	winzm.exe	34
PID 2928 wrote to memory of 1848	2928	winzm.exe	34
PID 2928 wrote to memory of 1848	2928	winzm.exe	34
PID 1848 wrote to memory of 2780	1848	winzm.exe	35
PID 1848 wrote to memory of 2780	1848	winzm.exe	35
PID 1848 wrote to memory of 2780	1848	winzm.exe	35
PID 1848 wrote to memory of 2780	1848	winzm.exe	35
PID 2780 wrote to memory of 668	2780	winzm.exe	36
PID 2780 wrote to memory of 668	2780	winzm.exe	36
PID 2780 wrote to memory of 668	2780	winzm.exe	36
PID 2780 wrote to memory of 668	2780	winzm.exe	36
PID 668 wrote to memory of 776	668	winzm.exe	37
PID 668 wrote to memory of 776	668	winzm.exe	37
PID 668 wrote to memory of 776	668	winzm.exe	37
PID 668 wrote to memory of 776	668	winzm.exe	37
PID 776 wrote to memory of 2140	776	winzm.exe	38
PID 776 wrote to memory of 2140	776	winzm.exe	38
PID 776 wrote to memory of 2140	776	winzm.exe	38
PID 776 wrote to memory of 2140	776	winzm.exe	38
PID 2140 wrote to memory of 2168	2140	winzm.exe	39
PID 2140 wrote to memory of 2168	2140	winzm.exe	39
PID 2140 wrote to memory of 2168	2140	winzm.exe	39
PID 2140 wrote to memory of 2168	2140	winzm.exe	39
PID 2168 wrote to memory of 2060	2168	winzm.exe	40
PID 2168 wrote to memory of 2060	2168	winzm.exe	40
PID 2168 wrote to memory of 2060	2168	winzm.exe	40
PID 2168 wrote to memory of 2060	2168	winzm.exe	40

C:\Users\Admin\AppData\Local\Temp\43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\winzm.exe
  C:\Windows\system32\winzm.exe 472 "C:\Users\Admin\AppData\Local\Temp\43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\winzm.exe
    C:\Windows\system32\winzm.exe 536 "C:\Windows\SysWOW64\winzm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\winzm.exe
      C:\Windows\system32\winzm.exe 548 "C:\Windows\SysWOW64\winzm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 528 "C:\Windows\SysWOW64\winzm.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 532 "C:\Windows\SysWOW64\winzm.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 540 "C:\Windows\SysWOW64\winzm.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 544 "C:\Windows\SysWOW64\winzm.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 560 "C:\Windows\SysWOW64\winzm.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 552 "C:\Windows\SysWOW64\winzm.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 556 "C:\Windows\SysWOW64\winzm.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\winzm.exe

Filesize
70KB

MD5
43b16cd3ee1d5dd38bf4049ebc1363b9

SHA1
5fc479406b5ccde8ada4974130c575423a6d385b

SHA256
71c1fdba1d92a6a5fd0e5326b864939bcf071dcad72a9b134f8ce28a4cdb86bf

SHA512
7d594324c4ed293c02d5681f26239f96a550ae8bea7785377cfbe91f4b085eddb7c3d9d71d96ac8542f567f60337346e44107f4efae29c9e4ba91e06d32cb217

Download Submit
memory/668-67-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/668-63-0x00000000027F0000-0x0000000002872000-memory.dmp

Filesize
520KB

Download
memory/776-64-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/776-75-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/776-71-0x0000000002990000-0x0000000002A12000-memory.dmp

Filesize
520KB

Download
memory/776-65-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/1848-48-0x0000000002580000-0x0000000002602000-memory.dmp

Filesize
520KB

Download
memory/1848-42-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/1848-52-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/1848-47-0x0000000002580000-0x0000000002602000-memory.dmp

Filesize
520KB

Download
memory/1848-40-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2060-88-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2140-82-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2140-73-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2140-72-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2168-86-0x00000000025B0000-0x0000000002632000-memory.dmp

Filesize
520KB

Download
memory/2168-87-0x00000000025B0000-0x0000000002632000-memory.dmp

Filesize
520KB

Download
memory/2168-79-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2168-81-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2168-90-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2424-21-0x0000000002970000-0x00000000029F2000-memory.dmp

Filesize
520KB

Download
memory/2424-26-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2424-22-0x0000000002970000-0x00000000029F2000-memory.dmp

Filesize
520KB

Download
memory/2712-23-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2712-34-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2712-24-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2712-30-0x0000000001E10000-0x0000000001E92000-memory.dmp

Filesize
520KB

Download
memory/2780-59-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2780-55-0x0000000002550000-0x00000000025D2000-memory.dmp

Filesize
520KB

Download
memory/2780-49-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2780-51-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2860-1-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2860-8-0x00000000025B0000-0x0000000002632000-memory.dmp

Filesize
520KB

Download
memory/2860-17-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2860-0-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2928-43-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2928-38-0x0000000002080000-0x0000000002102000-memory.dmp

Filesize
520KB

Download
memory/2928-39-0x0000000002080000-0x0000000002102000-memory.dmp

Filesize
520KB

Download
memory/2928-31-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads