lokibot | e0901ef3e5ebff335dffe5f654159c85f35345ccd93f1a72cce1866a93af0fda

General

Target

183d893845a51e01418992483191c9a2_JaffaCakes118.exe
Size

476KB
MD5

183d893845a51e01418992483191c9a2
SHA1

4ee5c62db9d70074b2d6a15953e21667706e1f33
SHA256

e0901ef3e5ebff335dffe5f654159c85f35345ccd93f1a72cce1866a93af0fda
SHA512

708e0b90c6e20f64387d2ea3377bd4f827b269cdc9a921e20e1334b975c5d2d5b3fab19eb1033767a6868ef10e5edd536d518f724ad538a3bc05f94017b092af
SSDEEP

12288:qFAsaKa799jzLck72I7TxmMYQMHaOHUmqlcluG:eTa7jzck72IxTl6jHcG

Score

10^/10

lokibot sality backdoor collection evasion spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

C2

http://mclhk-net.com/hiswounds/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	AppLaunch.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

AppLaunch.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	AppLaunch.exe

Deletes itself 1 IoCs

Processes:

AppLaunch.exe

pid process

4408 AppLaunch.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4408-12-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-16-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-17-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-20-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-19-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-18-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-22-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-14-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-15-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-23-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-40-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-39-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-47-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-51-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-52-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-94-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-95-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-97-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-98-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-101-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-103-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-105-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-108-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-109-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-112-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-114-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-116-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-117-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-125-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-129-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-130-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-131-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-133-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-135-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/4408-147-0x0000000002230000-0x00000000032EA000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AppLaunch.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
File opened (read-only)	\??\J:	AppLaunch.exe
File opened (read-only)	\??\L:	AppLaunch.exe
File opened (read-only)	\??\M:	AppLaunch.exe
File opened (read-only)	\??\R:	AppLaunch.exe
File opened (read-only)	\??\V:	AppLaunch.exe
File opened (read-only)	\??\E:	AppLaunch.exe
File opened (read-only)	\??\H:	AppLaunch.exe
File opened (read-only)	\??\I:	AppLaunch.exe
File opened (read-only)	\??\W:	AppLaunch.exe
File opened (read-only)	\??\Y:	AppLaunch.exe
File opened (read-only)	\??\X:	AppLaunch.exe
File opened (read-only)	\??\K:	AppLaunch.exe
File opened (read-only)	\??\N:	AppLaunch.exe
File opened (read-only)	\??\T:	AppLaunch.exe
File opened (read-only)	\??\Z:	AppLaunch.exe
File opened (read-only)	\??\G:	AppLaunch.exe
File opened (read-only)	\??\P:	AppLaunch.exe
File opened (read-only)	\??\Q:	AppLaunch.exe
File opened (read-only)	\??\O:	AppLaunch.exe
File opened (read-only)	\??\S:	AppLaunch.exe
File opened (read-only)	\??\U:	AppLaunch.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

AppLaunch.exe

description ioc process

File opened for modification C:\autorun.inf AppLaunch.exe
File opened for modification F:\autorun.inf AppLaunch.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

183d893845a51e01418992483191c9a2_JaffaCakes118.exe

description pid process target process

PID 4160 set thread context of 4408 4160 183d893845a51e01418992483191c9a2_JaffaCakes118.exe AppLaunch.exe

description	ioc	process
File opened for modification	C:\autorun.inf	AppLaunch.exe
File opened for modification	F:\autorun.inf	AppLaunch.exe

description	pid	process	target process
PID 4160 set thread context of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe

Drops file in Program Files directory 12 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	AppLaunch.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	AppLaunch.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	AppLaunch.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	AppLaunch.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	AppLaunch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	AppLaunch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	AppLaunch.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	AppLaunch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	AppLaunch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	AppLaunch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	AppLaunch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	AppLaunch.exe

Drops file in Windows directory 4 IoCs

Processes:

183d893845a51e01418992483191c9a2_JaffaCakes118.exeAppLaunch.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	183d893845a51e01418992483191c9a2_JaffaCakes118.exe
File created	C:\Windows\e58bb4c	AppLaunch.exe
File opened for modification	C:\Windows\SYSTEM.INI	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	183d893845a51e01418992483191c9a2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AppLaunch.exe

pid	process
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe
4408	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

183d893845a51e01418992483191c9a2_JaffaCakes118.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe
Token: SeDebugPrivilege	4408	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

183d893845a51e01418992483191c9a2_JaffaCakes118.exeAppLaunch.exe

description	pid	process	target process
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4160 wrote to memory of 4408	4160	183d893845a51e01418992483191c9a2_JaffaCakes118.exe	AppLaunch.exe
PID 4408 wrote to memory of 800	4408	AppLaunch.exe	fontdrvhost.exe
PID 4408 wrote to memory of 808	4408	AppLaunch.exe	fontdrvhost.exe
PID 4408 wrote to memory of 384	4408	AppLaunch.exe	dwm.exe
PID 4408 wrote to memory of 2392	4408	AppLaunch.exe	sihost.exe
PID 4408 wrote to memory of 2408	4408	AppLaunch.exe	svchost.exe
PID 4408 wrote to memory of 2488	4408	AppLaunch.exe	taskhostw.exe
PID 4408 wrote to memory of 3188	4408	AppLaunch.exe	Explorer.EXE
PID 4408 wrote to memory of 3496	4408	AppLaunch.exe	svchost.exe
PID 4408 wrote to memory of 3720	4408	AppLaunch.exe	DllHost.exe
PID 4408 wrote to memory of 3820	4408	AppLaunch.exe	StartMenuExperienceHost.exe
PID 4408 wrote to memory of 3928	4408	AppLaunch.exe	RuntimeBroker.exe
PID 4408 wrote to memory of 4036	4408	AppLaunch.exe	SearchApp.exe
PID 4408 wrote to memory of 3456	4408	AppLaunch.exe	RuntimeBroker.exe
PID 4408 wrote to memory of 4512	4408	AppLaunch.exe	RuntimeBroker.exe
PID 4408 wrote to memory of 4944	4408	AppLaunch.exe	TextInputHost.exe
PID 4408 wrote to memory of 2456	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 3988	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 2448	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 2120	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 2824	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 3568	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 4912	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 4160	4408	AppLaunch.exe	183d893845a51e01418992483191c9a2_JaffaCakes118.exe
PID 4408 wrote to memory of 4160	4408	AppLaunch.exe	183d893845a51e01418992483191c9a2_JaffaCakes118.exe
PID 4408 wrote to memory of 4892	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 800	4408	AppLaunch.exe	fontdrvhost.exe
PID 4408 wrote to memory of 808	4408	AppLaunch.exe	fontdrvhost.exe
PID 4408 wrote to memory of 384	4408	AppLaunch.exe	dwm.exe
PID 4408 wrote to memory of 2392	4408	AppLaunch.exe	sihost.exe
PID 4408 wrote to memory of 2408	4408	AppLaunch.exe	svchost.exe
PID 4408 wrote to memory of 2488	4408	AppLaunch.exe	taskhostw.exe
PID 4408 wrote to memory of 3188	4408	AppLaunch.exe	Explorer.EXE
PID 4408 wrote to memory of 3496	4408	AppLaunch.exe	svchost.exe
PID 4408 wrote to memory of 3720	4408	AppLaunch.exe	DllHost.exe
PID 4408 wrote to memory of 3820	4408	AppLaunch.exe	StartMenuExperienceHost.exe
PID 4408 wrote to memory of 3928	4408	AppLaunch.exe	RuntimeBroker.exe
PID 4408 wrote to memory of 4036	4408	AppLaunch.exe	SearchApp.exe
PID 4408 wrote to memory of 3456	4408	AppLaunch.exe	RuntimeBroker.exe
PID 4408 wrote to memory of 4512	4408	AppLaunch.exe	RuntimeBroker.exe
PID 4408 wrote to memory of 4944	4408	AppLaunch.exe	TextInputHost.exe
PID 4408 wrote to memory of 2456	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 3988	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 2448	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 2120	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 2824	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 3568	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 4912	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 4892	4408	AppLaunch.exe	msedge.exe
PID 4408 wrote to memory of 800	4408	AppLaunch.exe	fontdrvhost.exe
PID 4408 wrote to memory of 808	4408	AppLaunch.exe	fontdrvhost.exe
PID 4408 wrote to memory of 384	4408	AppLaunch.exe	dwm.exe
PID 4408 wrote to memory of 2392	4408	AppLaunch.exe	sihost.exe
PID 4408 wrote to memory of 2408	4408	AppLaunch.exe	svchost.exe
PID 4408 wrote to memory of 2488	4408	AppLaunch.exe	taskhostw.exe
PID 4408 wrote to memory of 3188	4408	AppLaunch.exe	Explorer.EXE

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AppLaunch.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2408

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\183d893845a51e01418992483191c9a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\183d893845a51e01418992483191c9a2_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4512

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x258,0x7ffe66152e98,0x7ffe66152ea4,0x7ffe66152eb0
2⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2272 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:2
2⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2312 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:3
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2588 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
2⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5308 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5572 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
2⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
2⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\yjwil.pif
Filesize
97KB

MD5
f6b9be6a60613579f91c843fa0b103b6

SHA1
5ccf3e0b4f529075ceea07a2994dbaaa7f09e038

SHA256
e2ca107878cfa98411a79ddbf8d043dc2d72630ec3fca45bafb40b8e53ea3cbd

SHA512
c85f6c62939608b1360305d00ffd4a8582224ec59bc2643306307eba949249970a1f1562e8c1a570c1d13463ee227ee81163285ff4000ebc676f6c240b049754

Download Submit
memory/4160-3-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4160-4-0x0000000074E02000-0x0000000074E03000-memory.dmp

Filesize
4KB

Download
memory/4160-5-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4160-37-0x0000000006C90000-0x0000000006C92000-memory.dmp

Filesize
8KB

Download
memory/4160-2-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4160-1-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4160-46-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4160-43-0x0000000006C90000-0x0000000006C92000-memory.dmp

Filesize
8KB

Download
memory/4160-0-0x0000000074E02000-0x0000000074E03000-memory.dmp

Filesize
4KB

Download
memory/4160-31-0x0000000006C90000-0x0000000006C92000-memory.dmp

Filesize
8KB

Download
memory/4160-32-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/4160-35-0x0000000006C90000-0x0000000006C92000-memory.dmp

Filesize
8KB

Download
memory/4408-40-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-94-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-34-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/4408-36-0x0000000003410000-0x0000000003412000-memory.dmp

Filesize
8KB

Download
memory/4408-19-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-20-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-17-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-18-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-22-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-14-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-15-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-23-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-16-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-39-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-12-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-10-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4408-47-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-51-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-52-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-9-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4408-8-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4408-38-0x0000000003410000-0x0000000003412000-memory.dmp

Filesize
8KB

Download
memory/4408-95-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-97-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-98-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-101-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-103-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-105-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-108-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-109-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-112-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-114-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-116-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-117-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-125-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-129-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-130-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-131-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-133-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-135-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-146-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4408-147-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4408-148-0x0000000003410000-0x0000000003412000-memory.dmp

Filesize
8KB

Download
memory/4408-6-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads