83f9bbc01dac5ffa387d08c5c262da8c06da541481c13ffe00ae710194cbdc28

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe
Size

126KB
MD5

ff2d3d9788fde6826ba30d8be3ac4b07
SHA1

18d5c1dae7cc320014729405de5596f3a9a44435
SHA256

83f9bbc01dac5ffa387d08c5c262da8c06da541481c13ffe00ae710194cbdc28
SHA512

b43b4ae5960ad77edbab122d0964a348797d44019c2a82a81c421e45394d09e4795dc44d160895f7ad895d6a510e40209073bb72fcf448be31de1fbd0a51c1de
SSDEEP

1536:lWpW3u/OGJ6M0goJCIujk67L2V0raDr21yhGjJPCRUDuguiZoRTGAAi5YAgl52M8:l461nuw6n2nDuVV+gu1Akwl52sLflk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
2004	mldmm.exe
5068	mldmm.exe
1072	mldmm.exe
2180	mldmm.exe
1760	mldmm.exe
1592	mldmm.exe
3692	mldmm.exe
4404	mldmm.exe
4772	mldmm.exe
3996	mldmm.exe
4992	mldmm.exe
2320	mldmm.exe
3916	mldmm.exe
2160	mldmm.exe
408	mldmm.exe
4240	mldmm.exe
2368	mldmm.exe
4708	mldmm.exe
3732	mldmm.exe
2572	mldmm.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File created	C:\Windows\SysWOW64\mldmm.exe	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	mldmm.exe
File opened for modification	C:\Windows\SysWOW64\mldmm.exe	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2004 set thread context of 5068	2004	mldmm.exe	84
PID 1072 set thread context of 2180	1072	mldmm.exe	93
PID 1760 set thread context of 1592	1760	mldmm.exe	96
PID 3692 set thread context of 4404	3692	mldmm.exe	99
PID 4772 set thread context of 3996	4772	mldmm.exe	101
PID 4992 set thread context of 2320	4992	mldmm.exe	103
PID 3916 set thread context of 2160	3916	mldmm.exe	105
PID 408 set thread context of 4240	408	mldmm.exe	107
PID 2368 set thread context of 4708	2368	mldmm.exe	109
PID 3732 set thread context of 2572	3732	mldmm.exe	111

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mldmm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2388 wrote to memory of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2388 wrote to memory of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2388 wrote to memory of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2388 wrote to memory of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2388 wrote to memory of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2388 wrote to memory of 2408	2388	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	82
PID 2408 wrote to memory of 2004	2408	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	83
PID 2408 wrote to memory of 2004	2408	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	83
PID 2408 wrote to memory of 2004	2408	ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe	83
PID 2004 wrote to memory of 5068	2004	mldmm.exe	84
PID 2004 wrote to memory of 5068	2004	mldmm.exe	84
PID 2004 wrote to memory of 5068	2004	mldmm.exe	84
PID 2004 wrote to memory of 5068	2004	mldmm.exe	84
PID 2004 wrote to memory of 5068	2004	mldmm.exe	84
PID 2004 wrote to memory of 5068	2004	mldmm.exe	84
PID 2004 wrote to memory of 5068	2004	mldmm.exe	84
PID 5068 wrote to memory of 1072	5068	mldmm.exe	92
PID 5068 wrote to memory of 1072	5068	mldmm.exe	92
PID 5068 wrote to memory of 1072	5068	mldmm.exe	92
PID 1072 wrote to memory of 2180	1072	mldmm.exe	93
PID 1072 wrote to memory of 2180	1072	mldmm.exe	93
PID 1072 wrote to memory of 2180	1072	mldmm.exe	93
PID 1072 wrote to memory of 2180	1072	mldmm.exe	93
PID 1072 wrote to memory of 2180	1072	mldmm.exe	93
PID 1072 wrote to memory of 2180	1072	mldmm.exe	93
PID 1072 wrote to memory of 2180	1072	mldmm.exe	93
PID 2180 wrote to memory of 1760	2180	mldmm.exe	95
PID 2180 wrote to memory of 1760	2180	mldmm.exe	95
PID 2180 wrote to memory of 1760	2180	mldmm.exe	95
PID 1760 wrote to memory of 1592	1760	mldmm.exe	96
PID 1760 wrote to memory of 1592	1760	mldmm.exe	96
PID 1760 wrote to memory of 1592	1760	mldmm.exe	96
PID 1760 wrote to memory of 1592	1760	mldmm.exe	96
PID 1760 wrote to memory of 1592	1760	mldmm.exe	96
PID 1760 wrote to memory of 1592	1760	mldmm.exe	96
PID 1760 wrote to memory of 1592	1760	mldmm.exe	96
PID 1592 wrote to memory of 3692	1592	mldmm.exe	98
PID 1592 wrote to memory of 3692	1592	mldmm.exe	98
PID 1592 wrote to memory of 3692	1592	mldmm.exe	98
PID 3692 wrote to memory of 4404	3692	mldmm.exe	99
PID 3692 wrote to memory of 4404	3692	mldmm.exe	99
PID 3692 wrote to memory of 4404	3692	mldmm.exe	99
PID 3692 wrote to memory of 4404	3692	mldmm.exe	99
PID 3692 wrote to memory of 4404	3692	mldmm.exe	99
PID 3692 wrote to memory of 4404	3692	mldmm.exe	99
PID 3692 wrote to memory of 4404	3692	mldmm.exe	99
PID 4404 wrote to memory of 4772	4404	mldmm.exe	100
PID 4404 wrote to memory of 4772	4404	mldmm.exe	100
PID 4404 wrote to memory of 4772	4404	mldmm.exe	100
PID 4772 wrote to memory of 3996	4772	mldmm.exe	101
PID 4772 wrote to memory of 3996	4772	mldmm.exe	101
PID 4772 wrote to memory of 3996	4772	mldmm.exe	101
PID 4772 wrote to memory of 3996	4772	mldmm.exe	101
PID 4772 wrote to memory of 3996	4772	mldmm.exe	101
PID 4772 wrote to memory of 3996	4772	mldmm.exe	101
PID 4772 wrote to memory of 3996	4772	mldmm.exe	101
PID 3996 wrote to memory of 4992	3996	mldmm.exe	102
PID 3996 wrote to memory of 4992	3996	mldmm.exe	102
PID 3996 wrote to memory of 4992	3996	mldmm.exe	102
PID 4992 wrote to memory of 2320	4992	mldmm.exe	103
PID 4992 wrote to memory of 2320	4992	mldmm.exe	103
PID 4992 wrote to memory of 2320	4992	mldmm.exe	103
PID 4992 wrote to memory of 2320	4992	mldmm.exe	103

C:\Users\Admin\AppData\Local\Temp\ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\mldmm.exe
    C:\Windows\system32\mldmm.exe 1104 "C:\Users\Admin\AppData\Local\Temp\ff2d3d9788fde6826ba30d8be3ac4b07_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\mldmm.exe
      C:\Windows\SysWOW64\mldmm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1124 "C:\Windows\SysWOW64\mldmm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1092 "C:\Windows\SysWOW64\mldmm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1092 "C:\Windows\SysWOW64\mldmm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1096 "C:\Windows\SysWOW64\mldmm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1096 "C:\Windows\SysWOW64\mldmm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1096 "C:\Windows\SysWOW64\mldmm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1092 "C:\Windows\SysWOW64\mldmm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1092 "C:\Windows\SysWOW64\mldmm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\system32\mldmm.exe 1096 "C:\Windows\SysWOW64\mldmm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\mldmm.exe
        
        C:\Windows\SysWOW64\mldmm.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mldmm.exe

Filesize
126KB

MD5
ff2d3d9788fde6826ba30d8be3ac4b07

SHA1
18d5c1dae7cc320014729405de5596f3a9a44435

SHA256
83f9bbc01dac5ffa387d08c5c262da8c06da541481c13ffe00ae710194cbdc28

SHA512
b43b4ae5960ad77edbab122d0964a348797d44019c2a82a81c421e45394d09e4795dc44d160895f7ad895d6a510e40209073bb72fcf448be31de1fbd0a51c1de

Download Submit
memory/1592-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2160-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2180-24-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2180-27-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2320-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-3-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2572-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3996-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4240-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4404-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4708-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5068-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5068-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download