71c1fdba1d92a6a5fd0e5326b864939bcf071dcad72a9b134f8ce28a4cdb86bf

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
Size

70KB
MD5

43b16cd3ee1d5dd38bf4049ebc1363b9
SHA1

5fc479406b5ccde8ada4974130c575423a6d385b
SHA256

71c1fdba1d92a6a5fd0e5326b864939bcf071dcad72a9b134f8ce28a4cdb86bf
SHA512

7d594324c4ed293c02d5681f26239f96a550ae8bea7785377cfbe91f4b085eddb7c3d9d71d96ac8542f567f60337346e44107f4efae29c9e4ba91e06d32cb217
SSDEEP

1536:VxfbiHGRDMxK/lZj4iUw4O0apKIvOAP5xBiXTewThSWPrS2Lf5uRR:VlmmRQ2ZjExYpxwaQ0n2D5YR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3600	winzm.exe
2816	winzm.exe
444	winzm.exe
4448	winzm.exe
5004	winzm.exe
3512	winzm.exe
3140	winzm.exe
4280	winzm.exe
4916	winzm.exe
3180	winzm.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File opened for modification	C:\Windows\SysWOW64\winzm.exe	winzm.exe
File created	C:\Windows\SysWOW64\winzm.exe	winzm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3600	3688	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe	83
PID 3688 wrote to memory of 3600	3688	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe	83
PID 3688 wrote to memory of 3600	3688	43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe	83
PID 3600 wrote to memory of 2816	3600	winzm.exe	94
PID 3600 wrote to memory of 2816	3600	winzm.exe	94
PID 3600 wrote to memory of 2816	3600	winzm.exe	94
PID 2816 wrote to memory of 444	2816	winzm.exe	96
PID 2816 wrote to memory of 444	2816	winzm.exe	96
PID 2816 wrote to memory of 444	2816	winzm.exe	96
PID 444 wrote to memory of 4448	444	winzm.exe	99
PID 444 wrote to memory of 4448	444	winzm.exe	99
PID 444 wrote to memory of 4448	444	winzm.exe	99
PID 4448 wrote to memory of 5004	4448	winzm.exe	100
PID 4448 wrote to memory of 5004	4448	winzm.exe	100
PID 4448 wrote to memory of 5004	4448	winzm.exe	100
PID 5004 wrote to memory of 3512	5004	winzm.exe	102
PID 5004 wrote to memory of 3512	5004	winzm.exe	102
PID 5004 wrote to memory of 3512	5004	winzm.exe	102
PID 3512 wrote to memory of 3140	3512	winzm.exe	103
PID 3512 wrote to memory of 3140	3512	winzm.exe	103
PID 3512 wrote to memory of 3140	3512	winzm.exe	103
PID 3140 wrote to memory of 4280	3140	winzm.exe	112
PID 3140 wrote to memory of 4280	3140	winzm.exe	112
PID 3140 wrote to memory of 4280	3140	winzm.exe	112
PID 4280 wrote to memory of 4916	4280	winzm.exe	113
PID 4280 wrote to memory of 4916	4280	winzm.exe	113
PID 4280 wrote to memory of 4916	4280	winzm.exe	113
PID 4916 wrote to memory of 3180	4916	winzm.exe	114
PID 4916 wrote to memory of 3180	4916	winzm.exe	114
PID 4916 wrote to memory of 3180	4916	winzm.exe	114

C:\Users\Admin\AppData\Local\Temp\43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\winzm.exe
  C:\Windows\system32\winzm.exe 1032 "C:\Users\Admin\AppData\Local\Temp\43b16cd3ee1d5dd38bf4049ebc1363b9_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\winzm.exe
    C:\Windows\system32\winzm.exe 1152 "C:\Windows\SysWOW64\winzm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\winzm.exe
      C:\Windows\system32\winzm.exe 1128 "C:\Windows\SysWOW64\winzm.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:444
    - - C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 1124 "C:\Windows\SysWOW64\winzm.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 1136 "C:\Windows\SysWOW64\winzm.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 1132 "C:\Windows\SysWOW64\winzm.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 1140 "C:\Windows\SysWOW64\winzm.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 1144 "C:\Windows\SysWOW64\winzm.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 1148 "C:\Windows\SysWOW64\winzm.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\winzm.exe
        
        C:\Windows\system32\winzm.exe 1164 "C:\Windows\SysWOW64\winzm.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winzm.exe

Filesize
70KB

MD5
43b16cd3ee1d5dd38bf4049ebc1363b9

SHA1
5fc479406b5ccde8ada4974130c575423a6d385b

SHA256
71c1fdba1d92a6a5fd0e5326b864939bcf071dcad72a9b134f8ce28a4cdb86bf

SHA512
7d594324c4ed293c02d5681f26239f96a550ae8bea7785377cfbe91f4b085eddb7c3d9d71d96ac8542f567f60337346e44107f4efae29c9e4ba91e06d32cb217

Download Submit
memory/444-20-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/444-27-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/444-19-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2816-16-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2816-22-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/2816-14-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3140-47-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3140-41-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3512-42-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3512-36-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3600-10-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3600-9-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3600-17-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3688-1-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3688-12-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/3688-0-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4280-46-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4280-52-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4448-26-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4448-24-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4448-32-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4916-49-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4916-50-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/4916-56-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/5004-37-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/5004-31-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download
memory/5004-29-0x0000000000400000-0x0000000000481884-memory.dmp

Filesize
518KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads