a2d08018d13895342890f096ff1e072694910b8bedbef9e8b2463463599b4959

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
Size

617KB
MD5

664d59e6abd751b006cf2df0e32600a4
SHA1

755f1163a7568f2bba4e397392c87ba480848deb
SHA256

a2d08018d13895342890f096ff1e072694910b8bedbef9e8b2463463599b4959
SHA512

089671de1bc60c980ea9ad43b8d066d2a3691e9ee396d185fe4fa4ae03cc844f77fd2fb8c7727127bd741b42f447bc6e04aa72adf3e2da70d28e83d919a72fb6
SSDEEP

6144:iiToL+5dbM74wLeQs6LpjzBWVDp6WqRQEB417STvM01XM/k9o+gluwtDQE/xGcQF:3ejlQwfNK55tSno

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2276	Pzimaa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2352-14-0x0000000002300000-0x000000000239C000-memory.dmp	upx
behavioral1/files/0x0008000000016d55-12.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File created	C:\Windows\Pzimaa.exe	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File opened for modification	C:\Windows\Pzimaa.exe	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Pzimaa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Pzimaa.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	Pzimaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe
2276	Pzimaa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2352	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
2276	Pzimaa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2352	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
2276	Pzimaa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2276	2352	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2276	2352	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2276	2352	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2276	2352	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Pzimaa.exe
  C:\Windows\Pzimaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of UnmapMainImage
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Pzimaa.exe

Filesize
617KB

MD5
664d59e6abd751b006cf2df0e32600a4

SHA1
755f1163a7568f2bba4e397392c87ba480848deb

SHA256
a2d08018d13895342890f096ff1e072694910b8bedbef9e8b2463463599b4959

SHA512
089671de1bc60c980ea9ad43b8d066d2a3691e9ee396d185fe4fa4ae03cc844f77fd2fb8c7727127bd741b42f447bc6e04aa72adf3e2da70d28e83d919a72fb6

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
de68bb14460d9ca50c0f30208d40ee7f

SHA1
ddd6701b4e90eddcaf71a73a0bc02a2bf39a79de

SHA256
1a3df716c27bb7b95d3c6472b8db0a30d311a507ae0656eb447091a42e5770ad

SHA512
5ce3a62c671e704f2480d017524da09f675fc57797fafa2d8a5b8c7310ef0f2b945e3a5700431b83f8e457c17dd542a5cee67177f0c058fb2cbaabcaa8b62a35

Download Submit
memory/2276-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2276-47230-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2276-47231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2352-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2352-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2352-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2352-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2352-15-0x0000000002300000-0x000000000239C000-memory.dmp

Filesize
624KB

Download
memory/2352-14-0x0000000002300000-0x000000000239C000-memory.dmp

Filesize
624KB

Download
memory/2352-47229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download