Analysis Overview
SHA256
467db49e07d592f97847aeb59d6b8c34df885c77ae573b1d149d0c055d861bbc
Threat Level: Known bad
The file fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Lokibot
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Creates scheduled task(s)
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 13:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 13:17
Reported
2024-04-19 13:19
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Lokibot
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2888 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWOhcqGUmxz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4183.tmp"
C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
Files
memory/2888-1-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/2888-0-0x0000000000120000-0x00000000001C2000-memory.dmp
memory/2888-2-0x0000000002110000-0x000000000218C000-memory.dmp
memory/2888-3-0x0000000004B70000-0x0000000004BB0000-memory.dmp
memory/2888-4-0x0000000000450000-0x0000000000468000-memory.dmp
memory/2888-5-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/2888-6-0x0000000004B70000-0x0000000004BB0000-memory.dmp
memory/2888-7-0x0000000004CD0000-0x0000000004D64000-memory.dmp
memory/2888-8-0x0000000000670000-0x0000000000698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4183.tmp
| MD5 | 5a9fcf69df3e64c6fdf17f98cf19fa48 |
| SHA1 | 753d71a402ccf6d388c2e4cd6b8ac3e6f40a067e |
| SHA256 | 6cac5f1a7bfe62ab38b4f1401bafd263ea0b0a06bef17c9b3e9ead3d88a29a5e |
| SHA512 | d209f4097cf778c4835e749a3f2ff897693b16170c29340c8d9adf970289942c7265e66120801a258db2a4dd14cee71eafba43e5f0d6653866c5dc26cb52ac3c |
memory/2836-14-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2836-15-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2836-16-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2836-17-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2836-18-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2836-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2836-22-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2836-24-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2836-28-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/2836-44-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2888-46-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/2836-54-0x0000000000400000-0x00000000004A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 13:17
Reported
2024-04-19 13:19
Platform
win10v2004-20240412-en
Max time kernel
140s
Max time network
113s
Command Line
Signatures
Lokibot
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3464 set thread context of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWOhcqGUmxz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1F4.tmp"
C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5fe11f37318bf2793b5ffafe621345_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
| US | 8.8.8.8:53 | 239.162.236.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| NL | 192.236.162.239:80 | 192.236.162.239 | tcp |
Files
memory/3464-0-0x0000000000D60000-0x0000000000E02000-memory.dmp
memory/3464-1-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/3464-2-0x0000000005710000-0x000000000578C000-memory.dmp
memory/3464-3-0x0000000009CD0000-0x0000000009D6C000-memory.dmp
memory/3464-4-0x000000000A320000-0x000000000A8C4000-memory.dmp
memory/3464-5-0x00000000059F0000-0x0000000005A82000-memory.dmp
memory/3464-6-0x0000000005940000-0x0000000005950000-memory.dmp
memory/3464-8-0x0000000005BB0000-0x0000000005C06000-memory.dmp
memory/3464-7-0x00000000058E0000-0x00000000058EA000-memory.dmp
memory/3464-9-0x0000000006520000-0x0000000006538000-memory.dmp
memory/3464-10-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/3464-11-0x0000000005940000-0x0000000005950000-memory.dmp
memory/3464-12-0x00000000068B0000-0x0000000006944000-memory.dmp
memory/3464-13-0x0000000007240000-0x0000000007268000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE1F4.tmp
| MD5 | c125d872c35a138be96062e2bb613e5d |
| SHA1 | fa2ea70f95b1dc8a8232ae0aaa27912258470f18 |
| SHA256 | 8360d7e1c8609c238510513b81c8b4192fee0801eaabe6c9c0213a763f8a2594 |
| SHA512 | f6e44980cba3790852fefb048a5b42d2cb93d052e6d48e3d0cbf1a907b85cbefd32451fdd9a3e20fd1e7cfd1afe0837e24915c3beec74b27c640d2fbe7f0545c |
memory/832-19-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/832-21-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/832-23-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/3464-24-0x00000000748B0000-0x0000000075060000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1132431369-515282257-1998160155-1000\0f5007522459c86e95ffcc62f32308f1_70c90021-9ffc-4518-9838-e0670256fcd5
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1132431369-515282257-1998160155-1000\0f5007522459c86e95ffcc62f32308f1_70c90021-9ffc-4518-9838-e0670256fcd5
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/832-43-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/832-51-0x0000000000400000-0x00000000004A2000-memory.dmp