Overview

overview

10

Static

static

1

0792989f11...18.msi

windows7-x64

10

0792989f11...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0792989f119bbd40d5007b97dcd1686e_JaffaCakes118.msi

  • Size

    464KB

  • MD5

    0792989f119bbd40d5007b97dcd1686e

  • SHA1

    04b8ea7bd95bb0431f0ec449c8acde6e82dbc882

  • SHA256

    f41b9c371e86408b1247d6465b36ba7134ca8c081580ad5fb0e913d215263ad3

  • SHA512

    3a7ccac62d3b2fbbd84b77952e0d013da439bff39d4ffdd44bdcc9878e27bd4a20405c09b6a00edc4ffa986f3602bdee3350fbd5d14a3eaf2beba62bec9e067a

  • SSDEEP

    6144:eEpmSltsbiQnYW3rGhPLLlI13JvQIFSb22PKKRaHoNuQQQQQO8:eEpubiQN3ahPnlPO222rYIN88

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://angelbiss.space/html/1/8/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0792989f119bbd40d5007b97dcd1686e_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2776
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\Installer\MSI3304.tmp
      "C:\Windows\Installer\MSI3304.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Notesbger" /TR "\"C:\ProgramData\Anhang1.exe\""
        3⤵
        • Creates scheduled task(s)
        PID:1456
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /run /tn "Notesbger"
        3⤵
          PID:2248
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000578" "00000000000004C0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {34341F0B-44CD-4BD6-BC84-7881670320F2} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\ProgramData\Anhang1.exe
        C:\ProgramData\Anhang1.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\ProgramData\Anhang1.exe
          C:\ProgramData\Anhang1.exe
          3⤵
          • Accesses Microsoft Outlook profiles
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1696
      • C:\ProgramData\Anhang1.exe
        C:\ProgramData\Anhang1.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\ProgramData\Anhang1.exe
          C:\ProgramData\Anhang1.exe
          3⤵
          • Executes dropped EXE
          PID:2344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f763180.rbs
      Filesize

      663B

      MD5

      07774a77216325199865f8a704ce0edb

      SHA1

      3b01ae3e041ef0bed7c41b33bee5d0e616a07cef

      SHA256

      5e17d799ef7771f11aac7904fcef52c7344944887ce9b3c4db0f958d9c5bdc03

      SHA512

      b58684817a17ed25ef5cbe4632bafd7978434ac43d87c243eb1d176101da12e07f94efb3ae0c274938e84c886ee696abdc5d8888e7b82ddbec01c0efa53e9074

      Download Submit

    • C:\ProgramData\Anhang1.exe
      Filesize

      440KB

      MD5

      5b13d7cafae2a6f70999ed7072da8383

      SHA1

      afaf8b027d978a92fc98e1ed290c1b77ac60ef2c

      SHA256

      d802a2930a4e81322e741521b69771c46ba491305db6bc3439829cc008296034

      SHA512

      2782c5e4450fcf8136082af33a20f404609e66e710af5a4ec0247b0257325bd7f03c09ca11307737ae611b602db77134f56890fb0cc3e9e84dfa00b395f4607d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Windows\Installer\MSI3304.tmp
      Filesize

      440KB

      MD5

      0b9991bac57a03beb7848051d88bbd86

      SHA1

      0cf8a4c5c1f804cfb9fcf83a2fa54154b4d4a10e

      SHA256

      fc32567cd8fe30343ded8d74b160eb3ce7ca085567456d6923e6e5678a3f605b

      SHA512

      d65f59e701693d6121a467c957178ff88d738ce0579e664b8a1b68c0f580e133fdeb30a5613ebbfa2c93a639f4430be035537edb0037d104fb58277de6bc123a

      Download Submit

    • memory/1696-31-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1696-33-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1696-65-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1696-84-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2344-57-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download