07f1037b8d6650c8d4aedea072a2525a2cb5f40849fb43a86e2a6582f1aecc20

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe
Size

256KB
MD5

d04aee33bdc7eaf81c434f60414e5f8f
SHA1

b51e61cfb36ba718e4af445d040de22f3a7c7392
SHA256

07f1037b8d6650c8d4aedea072a2525a2cb5f40849fb43a86e2a6582f1aecc20
SHA512

9cc0ab58699ee5c948adfc6923c22c1533ac63e8d7a13ed67070a07370c66a559b0131b09513df639c5a02221ae8ac336304d5d27d073165ab0c7da947357b22
SSDEEP

6144:+Gzf+/hOSZouvcOZvoZMZjnpWA5Gno3CK:HK/JRvNoZM1V3CK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vchost.exe	Sequencer (KL).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vchost.exe	Sequencer (KL).exe

Executes dropped EXE 2 IoCs

pid	Process
2612	Marxereals Sequencer GUI.exe
1784	Sequencer (KL).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sequencer (KL).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Marxereals Sequencer GUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe
1784	Sequencer (KL).exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe
Token: SeDebugPrivilege	1784	Sequencer (KL).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2612	5040	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe	86
PID 5040 wrote to memory of 2612	5040	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe	86
PID 5040 wrote to memory of 2612	5040	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe	86
PID 5040 wrote to memory of 1784	5040	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe	87
PID 5040 wrote to memory of 1784	5040	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe	87
PID 5040 wrote to memory of 1784	5040	d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d04aee33bdc7eaf81c434f60414e5f8f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\Marxereals Sequencer GUI.exe
  "C:\Users\Admin\AppData\Local\Temp\Marxereals Sequencer GUI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\Sequencer (KL).exe
  "C:\Users\Admin\AppData\Local\Temp\Sequencer (KL).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Marxereals Sequencer GUI.exe

Filesize
86KB

MD5
801a41c9165b85cd76e80bc96fb7ac52

SHA1
8858695fae3231f3301354d9ba28bf4b66b47a86

SHA256
8478c3f6f6cd12af227dcbdd16b887b420b002d9e4448a62a7dc47a376c9394a

SHA512
32bed322e34d8c27631ab0c69febffb1611e05c2cae97cacd32dec1999989e02323e8fe8882b1dd987ee7307a52decd0c5268ccdaac0a3eb65c250d207f9e689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sequencer (KL).exe

Filesize
90KB

MD5
baa6b5e1c23e5a04c0a01823b43d7965

SHA1
64b476abf2914abb4af388cccf253fcfa1f5475b

SHA256
29b97d4644d457c90536ce8426a51dde8e10d2335c3072f367183bc4ac4393dd

SHA512
d8b83a5bd87b5791a53cd63a7c5f0f0d85b35e29d9810d1e728eca8cd9a445febcfc87b79b8be8f61e45d1647ebb7eb2102ef4586563fda26a7a0e9aeaccf898

Download Submit
memory/1784-41-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1784-40-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1784-36-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1784-33-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1784-34-0x0000000000610000-0x000000000062E000-memory.dmp

Filesize
120KB

Download
memory/2612-35-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2612-32-0x0000000000010000-0x000000000002E000-memory.dmp

Filesize
120KB

Download
memory/2612-30-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2612-39-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-7-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-6-0x00000000058C0000-0x0000000005916000-memory.dmp

Filesize
344KB

Download
memory/5040-31-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-5-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/5040-4-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/5040-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/5040-3-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/5040-2-0x0000000005640000-0x00000000056DC000-memory.dmp

Filesize
624KB

Download
memory/5040-1-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download