Analysis Overview
SHA256
af8cb812180974a437226dc550eac673f0687626255289db2017c7f4f47177e7
Threat Level: Known bad
The file 08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Lokibot
Uses the VBS compiler for execution
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-30 02:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-30 02:40
Reported
2024-04-30 02:42
Platform
win7-20240221-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Lokibot
Uses the VBS compiler for execution
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EA2.tmp" "c:\Users\Admin\AppData\Local\Temp\ysqo11v4\CSC4C1B85FD9CC84362894F2AAB524E9976.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipqbook.com | udp |
Files
memory/2492-0-0x00000000012B0000-0x0000000001326000-memory.dmp
memory/2492-1-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/2492-2-0x00000000047B0000-0x00000000047F0000-memory.dmp
memory/2492-3-0x0000000000320000-0x0000000000328000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.cmdline
| MD5 | d5b3a524ba7aae0cab302db06461dd29 |
| SHA1 | 6942d16d9501cfa26cf90861d76f4bea51cfa265 |
| SHA256 | 8d9b6c6ccb8eec19a747c4e06a267ac16dcda1e13c45f7fa3b6bbb3828c4dd70 |
| SHA512 | e3e73280df1eddb0c34628928e52037f15eb68b6bc03104126022baf3e66cd2b2d80ba975fac8a2f4df70001c62198d4c4ad63ba7a3cb350d27406f81d85e7f6 |
\??\c:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.0.cs
| MD5 | bd87362c479e754ac84645b038de30d4 |
| SHA1 | a097cca2477961cc19297ed9d645fbc6a8702c90 |
| SHA256 | cffed596ec89a04ca60edd36165132b88ef440a7e34a45e9558521384b72da59 |
| SHA512 | 5b785a293177d83b5e0194ef38201ccf9c9a24c00f46b4cbc613592baf014ec3c5b82e845cb89d41c8575c3c4d0e899bd03ec3262dd63ebbc7b558d7b9ecb1f2 |
\??\c:\Users\Admin\AppData\Local\Temp\ysqo11v4\CSC4C1B85FD9CC84362894F2AAB524E9976.TMP
| MD5 | d7a2466a8294f5f563550d3808e089fc |
| SHA1 | 127dd2ba91b8910d32195b877bdff29eafb03893 |
| SHA256 | 44fe460d59ed8d16caa2bc9298d3fd757a67d495385bcfbb0b29f24bd4c31e0e |
| SHA512 | 1d164eb35a14cc123e1c4bac12666e40a2c60e0144416ee34e88f74db75ed3f7c804e1a9f9defe459797b7df64670709f91bbdabfb50bb0ae6672b3f19253656 |
C:\Users\Admin\AppData\Local\Temp\RES7EA2.tmp
| MD5 | e9652d5e549cb70842a5909999db09e9 |
| SHA1 | 6065686e29b8a21bc58ea497ae6793da17a97779 |
| SHA256 | e3db670625c4d4e83b94902202be80c7a7000fa1e23d33ed8b56126cdf7a2cef |
| SHA512 | d2d6fa2e14f3d69921732187050b936ac574ad82641033a166b4e3813039a11e9600877810d612b69545ff04c2ff810c832dd058ec99aa7483a5660ea4de6642 |
C:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.dll
| MD5 | 237e11423ffca42b3b1165df119243f0 |
| SHA1 | 63284fb77f8cae8a05e0de4043158e8ded0b40a3 |
| SHA256 | 56bba2b8f1bf17739aaab03cb06f4259ed3430402f965fc6b8ec0d10adfac0c0 |
| SHA512 | d09aa066efbfde9ed90cd63faa80358c6a9257bbde9f73200f3a901a2f14d9d14cf146d9e24a1a87d4742232fa50959231d94d0f9c322fa8dc2f18a22342c184 |
memory/2492-18-0x00000000003A0000-0x00000000003A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.pdb
| MD5 | 34d28e682e8a9ee408d2d8a115fcd76f |
| SHA1 | aa36db3572b42a02bd5e1b4fd4aa8bbbd57f9d81 |
| SHA256 | 6cf6e855109bf5f17102ab213acdd656fb11085c76cdeffe39e3333f615e91a2 |
| SHA512 | 7c1b7b2a2061cfce17cd0f2089cff6e1d178721eff328223e11cbfb233a3ec9477727c172c09f4c5340ed0bb278a24c8923521d0f581bfb4957a33a9eeea856f |
memory/2492-20-0x0000000000A60000-0x0000000000A8A000-memory.dmp
memory/2492-21-0x00000000003B0000-0x00000000003BC000-memory.dmp
memory/2492-22-0x0000000000870000-0x0000000000912000-memory.dmp
memory/2608-23-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2608-35-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2608-33-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2608-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2608-29-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2608-27-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2608-25-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2608-24-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2492-36-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/2608-40-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/2608-61-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2608-82-0x0000000000400000-0x00000000004A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-30 02:40
Reported
2024-04-30 02:42
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Lokibot
Uses the VBS compiler for execution
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3404 set thread context of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp" "c:\Users\Admin\AppData\Local\Temp\22plhnb3\CSC129A497F0E4E6C925B85517C4587D5.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ipqbook.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipqbook.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipqbook.com | udp |
Files
memory/3404-0-0x0000000000990000-0x0000000000A06000-memory.dmp
memory/3404-1-0x0000000005330000-0x00000000053C2000-memory.dmp
memory/3404-2-0x0000000074E20000-0x00000000755D0000-memory.dmp
memory/3404-3-0x0000000005560000-0x0000000005570000-memory.dmp
memory/3404-4-0x0000000002DC0000-0x0000000002DC8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.cmdline
| MD5 | 2784f095ec8ea4be4bc14878a09fb31f |
| SHA1 | db8b523fa1809be7b4cecae098981d20e1577b2e |
| SHA256 | b302f5c7e1e9b1a4584e04ad75442bdc60928c9bc560d296fc62006161126f2c |
| SHA512 | 43cf12597579cb967f332577aa9fab1ea75f18cc07b47c8ff9a140f3f577b86d262a308de7758f87333d8c8801554ee511cd10536be910913289582b24834da5 |
\??\c:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.0.cs
| MD5 | bd87362c479e754ac84645b038de30d4 |
| SHA1 | a097cca2477961cc19297ed9d645fbc6a8702c90 |
| SHA256 | cffed596ec89a04ca60edd36165132b88ef440a7e34a45e9558521384b72da59 |
| SHA512 | 5b785a293177d83b5e0194ef38201ccf9c9a24c00f46b4cbc613592baf014ec3c5b82e845cb89d41c8575c3c4d0e899bd03ec3262dd63ebbc7b558d7b9ecb1f2 |
\??\c:\Users\Admin\AppData\Local\Temp\22plhnb3\CSC129A497F0E4E6C925B85517C4587D5.TMP
| MD5 | 9dc485f3c517232106c1e50fb185b481 |
| SHA1 | 2a9a34ef159eb536741fc347ac02e222cc5e580a |
| SHA256 | c3a96f9e30c0e787fdece27b00dc43b1e0546bfeac613d7b686b3538cd34b2ae |
| SHA512 | b0c2ec482efb7b6bd1c1f924e0ea98d79c491fceee21f0707bc2a14b5d9c28e3f3e49e1f9ac08c45873f50f35b14965bd872369a1ce0de338da33f6e249c8a4b |
C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp
| MD5 | c8b91902b91b39fdb3d5d55106d8c679 |
| SHA1 | 4453818bc15042a94d70eb01879ff96d9af077a6 |
| SHA256 | 83bcbffd0562ed4fba73fce6990418880c8f9c5b8c2129d7847128fd912bfee4 |
| SHA512 | 9e5b17d440b2cb771a149ae3ae86a638b4b1de1a3baf82326c4abf8f80ec6093629ce4abe59415f60a2ed47f128f3c3067cfa3546d903d878b727b6b9121c23e |
C:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.pdb
| MD5 | 2d2bc2f2c5d16eb560dc84135de00274 |
| SHA1 | fa56534703cfaa0788b881e069f052de40f2136f |
| SHA256 | 13315afd8f2956d32816c255235f182dbdef34f311b8da21b76d9c578ddf2337 |
| SHA512 | 7f613672057e3be2c6d38da2f9a57aacb265ff1b11b69589842412fca702bb8a53a13743c20cd0e7a65d99872b9616b8b9174352596bbb84b980a7b96f36ccf3 |
memory/3404-19-0x0000000002DF0000-0x0000000002DF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.dll
| MD5 | dba323b02a9b61f6766bcac3ccea0326 |
| SHA1 | 3616914b52f09470cf93fb29c615b7e54536e170 |
| SHA256 | 452c6e726f416f5324646e95faf7297908c6fc3ca29ee5df4577c0ada97c6e18 |
| SHA512 | c163aaaea7efd4cd9b9ef2f588928d39ef2882b5882ba31d25e1f19dc63f9390ba7e4ceb5091a8f3e45a9e16ccdd660accecc4dc05285b3bb1d4f1a21bd650a5 |
memory/3404-21-0x0000000005300000-0x000000000532A000-memory.dmp
memory/3404-22-0x0000000002E20000-0x0000000002E2C000-memory.dmp
memory/3404-23-0x00000000053D0000-0x0000000005472000-memory.dmp
memory/3404-24-0x00000000059B0000-0x0000000005A4C000-memory.dmp
memory/3888-25-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/3888-28-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/3404-29-0x0000000074E20000-0x00000000755D0000-memory.dmp
memory/3888-30-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\0f5007522459c86e95ffcc62f32308f1_215f2dba-ef84-4dd1-b127-5f514a0c233b
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\0f5007522459c86e95ffcc62f32308f1_215f2dba-ef84-4dd1-b127-5f514a0c233b
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/3888-74-0x0000000000400000-0x00000000004A2000-memory.dmp