baa43fc7770c969d7930c6d7be46b07974d79b91447aa5bdb9ac6447fc4faea1

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

952181a6efe06f561aa868c35952855e_JaffaCakes118.exe
Size

61KB
MD5

952181a6efe06f561aa868c35952855e
SHA1

fc16de002e24394e9cd0478c58009abef1824eee
SHA256

baa43fc7770c969d7930c6d7be46b07974d79b91447aa5bdb9ac6447fc4faea1
SHA512

c4db44b81b516a1cb6994770e847e1c0d6b8e45ef96671fba0d99877ce751168ba39c400852dc7f1b004da84a2f6c3af48e0edb4815a67ce5d9ef3a47c36b0db
SSDEEP

1536:9f4qqS7Ic8DNew3cBmdQlnpYaFgqJ42NE0Kz:prqSUFR2gilHKz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
2732	mmdmm.exe
1896	mmdmm.exe
2140	mmdmm.exe
2424	mmdmm.exe
1572	mmdmm.exe
2392	mmdmm.exe
480	mmdmm.exe
2156	mmdmm.exe
1292	mmdmm.exe

Loads dropped DLL 18 IoCs

pid	Process
2372	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe
2372	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe
2732	mmdmm.exe
2732	mmdmm.exe
1896	mmdmm.exe
1896	mmdmm.exe
2140	mmdmm.exe
2140	mmdmm.exe
2424	mmdmm.exe
2424	mmdmm.exe
1572	mmdmm.exe
1572	mmdmm.exe
2392	mmdmm.exe
2392	mmdmm.exe
480	mmdmm.exe
480	mmdmm.exe
2156	mmdmm.exe
2156	mmdmm.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File opened for modification	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe
File created	C:\Windows\SysWOW64\mmdmm.exe	mmdmm.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmdmm.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2732	2372	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2732	2372	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2732	2372	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2732	2372	952181a6efe06f561aa868c35952855e_JaffaCakes118.exe	31
PID 2732 wrote to memory of 1896	2732	mmdmm.exe	32
PID 2732 wrote to memory of 1896	2732	mmdmm.exe	32
PID 2732 wrote to memory of 1896	2732	mmdmm.exe	32
PID 2732 wrote to memory of 1896	2732	mmdmm.exe	32
PID 1896 wrote to memory of 2140	1896	mmdmm.exe	33
PID 1896 wrote to memory of 2140	1896	mmdmm.exe	33
PID 1896 wrote to memory of 2140	1896	mmdmm.exe	33
PID 1896 wrote to memory of 2140	1896	mmdmm.exe	33
PID 2140 wrote to memory of 2424	2140	mmdmm.exe	34
PID 2140 wrote to memory of 2424	2140	mmdmm.exe	34
PID 2140 wrote to memory of 2424	2140	mmdmm.exe	34
PID 2140 wrote to memory of 2424	2140	mmdmm.exe	34
PID 2424 wrote to memory of 1572	2424	mmdmm.exe	35
PID 2424 wrote to memory of 1572	2424	mmdmm.exe	35
PID 2424 wrote to memory of 1572	2424	mmdmm.exe	35
PID 2424 wrote to memory of 1572	2424	mmdmm.exe	35
PID 1572 wrote to memory of 2392	1572	mmdmm.exe	36
PID 1572 wrote to memory of 2392	1572	mmdmm.exe	36
PID 1572 wrote to memory of 2392	1572	mmdmm.exe	36
PID 1572 wrote to memory of 2392	1572	mmdmm.exe	36
PID 2392 wrote to memory of 480	2392	mmdmm.exe	37
PID 2392 wrote to memory of 480	2392	mmdmm.exe	37
PID 2392 wrote to memory of 480	2392	mmdmm.exe	37
PID 2392 wrote to memory of 480	2392	mmdmm.exe	37
PID 480 wrote to memory of 2156	480	mmdmm.exe	38
PID 480 wrote to memory of 2156	480	mmdmm.exe	38
PID 480 wrote to memory of 2156	480	mmdmm.exe	38
PID 480 wrote to memory of 2156	480	mmdmm.exe	38
PID 2156 wrote to memory of 1292	2156	mmdmm.exe	39
PID 2156 wrote to memory of 1292	2156	mmdmm.exe	39
PID 2156 wrote to memory of 1292	2156	mmdmm.exe	39
PID 2156 wrote to memory of 1292	2156	mmdmm.exe	39

C:\Users\Admin\AppData\Local\Temp\952181a6efe06f561aa868c35952855e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\952181a6efe06f561aa868c35952855e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\mmdmm.exe
  C:\Windows\system32\mmdmm.exe 468 "C:\Users\Admin\AppData\Local\Temp\952181a6efe06f561aa868c35952855e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\mmdmm.exe
    C:\Windows\system32\mmdmm.exe 516 "C:\Windows\SysWOW64\mmdmm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\mmdmm.exe
      C:\Windows\system32\mmdmm.exe 512 "C:\Windows\SysWOW64\mmdmm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\mmdmm.exe
        
        C:\Windows\system32\mmdmm.exe 508 "C:\Windows\SysWOW64\mmdmm.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\mmdmm.exe
        
        C:\Windows\system32\mmdmm.exe 524 "C:\Windows\SysWOW64\mmdmm.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\mmdmm.exe
        
        C:\Windows\system32\mmdmm.exe 532 "C:\Windows\SysWOW64\mmdmm.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\mmdmm.exe
        
        C:\Windows\system32\mmdmm.exe 520 "C:\Windows\SysWOW64\mmdmm.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\mmdmm.exe
        
        C:\Windows\system32\mmdmm.exe 536 "C:\Windows\SysWOW64\mmdmm.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\mmdmm.exe
        
        C:\Windows\system32\mmdmm.exe 528 "C:\Windows\SysWOW64\mmdmm.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mmdmm.exe

Filesize
61KB

MD5
952181a6efe06f561aa868c35952855e

SHA1
fc16de002e24394e9cd0478c58009abef1824eee

SHA256
baa43fc7770c969d7930c6d7be46b07974d79b91447aa5bdb9ac6447fc4faea1

SHA512
c4db44b81b516a1cb6994770e847e1c0d6b8e45ef96671fba0d99877ce751168ba39c400852dc7f1b004da84a2f6c3af48e0edb4815a67ce5d9ef3a47c36b0db

Download Submit
memory/480-53-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/480-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1292-65-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1572-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1572-41-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1896-22-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1896-24-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2140-34-0x0000000002430000-0x000000000249C000-memory.dmp

Filesize
432KB

Download
memory/2140-28-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2140-30-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2156-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2156-59-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2372-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2372-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2372-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2372-11-0x0000000002420000-0x000000000248C000-memory.dmp

Filesize
432KB

Download
memory/2372-12-0x0000000002420000-0x000000000248C000-memory.dmp

Filesize
432KB

Download
memory/2392-49-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2392-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2424-37-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2424-35-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2732-21-0x0000000000800000-0x000000000086C000-memory.dmp

Filesize
432KB

Download
memory/2732-17-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download