Analysis
-
max time kernel
137s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
1eeb57c0877a06d18aa028e87d5158b4
-
SHA1
d086921faba08c2600d862b680b70a53a3bfb88e
-
SHA256
d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3
-
SHA512
16303c9bcedbfe4c5d6c953e39a98014d7f355e1c6413f960094840fb9e7f581832cc54a0557cc81e3e212f48c82d6897bcbaa4bc3fdecb72043757349f153b1
-
SSDEEP
24576:zglru6TUwOFJqxotNMKoGAIp7WfJ8H7bDdwb6ju63uNF+:cSva65pE8XDVaNw
Malware Config
Extracted
lokibot
http://djanic.duckdns.org/fashion/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation 1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Jpxquhr.exepid process 1636 Jpxquhr.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
TapiUnattend.exesvchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook TapiUnattend.exe Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook TapiUnattend.exe Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook svchost.exe Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svchost.exe Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TapiUnattend.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Jpxquhr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jpxq = "C:\\Users\\Admin\\AppData\\Local\\Jpxq\\Jpxq_setko.hta" Jpxquhr.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Jpxquhr.exedescription pid process target process PID 1636 set thread context of 1312 1636 Jpxquhr.exe TapiUnattend.exe PID 1636 set thread context of 1736 1636 Jpxquhr.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Jpxquhr.exepid process 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe 1636 Jpxquhr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TapiUnattend.exesvchost.exedescription pid process Token: SeDebugPrivilege 1312 TapiUnattend.exe Token: SeDebugPrivilege 1736 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exeJpxquhr.exedescription pid process target process PID 3512 wrote to memory of 1636 3512 1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe Jpxquhr.exe PID 3512 wrote to memory of 1636 3512 1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe Jpxquhr.exe PID 3512 wrote to memory of 1636 3512 1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe Jpxquhr.exe PID 1636 wrote to memory of 1312 1636 Jpxquhr.exe TapiUnattend.exe PID 1636 wrote to memory of 1312 1636 Jpxquhr.exe TapiUnattend.exe PID 1636 wrote to memory of 1312 1636 Jpxquhr.exe TapiUnattend.exe PID 1636 wrote to memory of 1312 1636 Jpxquhr.exe TapiUnattend.exe PID 1636 wrote to memory of 1312 1636 Jpxquhr.exe TapiUnattend.exe PID 1636 wrote to memory of 1736 1636 Jpxquhr.exe svchost.exe PID 1636 wrote to memory of 1736 1636 Jpxquhr.exe svchost.exe PID 1636 wrote to memory of 1736 1636 Jpxquhr.exe svchost.exe PID 1636 wrote to memory of 1736 1636 Jpxquhr.exe svchost.exe PID 1636 wrote to memory of 1736 1636 Jpxquhr.exe svchost.exe -
outlook_office_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svchost.exe -
outlook_win_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe"C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
581KB
MD5625f27cb29149f99eb93735d15e69d80
SHA16e1ceb59b5f2985753cf4b9331fd0b5ee7d606a6
SHA256864d203102cd402deb72fbf66b27fb288d8cd3cb0b1cd879c13cc31aa904bdc6
SHA51264e3ea68f6c27d57b9a10b8e0ccb1b439bda38621d04cae08d787506dd07f49517a94852597c72c4a0061d155369bf2881b01ed7c93f7a3dbc9ed339a153bd24
-
Filesize
852KB
MD56a8b19b1a958e846116ffe3ea5ca5cd6
SHA1c6b75c86600d47b686e4f10b09810b6583b4843e
SHA256feec0a596b7e08a8221650ae960b986ccc7e4634db6257c66325e8d2fdc7b04c
SHA512037306796aa558cadaebfbe5ba6bfb8a0e4ad83976269a5ab693306842aa7e58470d2957400b75e94a683a0cfe9ed11b83311d754b72a4c3d22cd1cb08b00e3f
-
Filesize
12KB
MD5d5bffd755f566aaacb57cf83fdaa5cd0
SHA116a24f8718fe0927517d6e75206beb3988c01177
SHA2569ffa72ead7927f09d7106c62d5fde25e27f7bff27099101e15e5f7e903cd00f4
SHA512a20361dc3e9a4dc973bee58e4e1d2047b82efed3a48fcb2d3ed4613207bd83fda7bae4e716796a37595f9decab87236df159c9de9a468dfbde9205677e1dc21d
-
Filesize
4B
MD57b6821c03d45d0f441e8a4f8a5acdf1d
SHA1e8bdbaa8bc2c0597ff9dc1031b9a01cc22371905
SHA256a1083c91f85a7980b062fd204f2a435ea40575f4933c4950ade6f68c134c4388
SHA51235fc3b3ace64ea80b93d4f37318bb73b7e7d6949d573a68e737def5f12b8dcc3a8f74afe12169f65b020f549d24727f64636aa966c2f059708133e87d3420811
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3411335054-1982420046-2118495756-1000\0f5007522459c86e95ffcc62f32308f1_e7a16734-7acf-4ca3-a39d-c3eddafc0513
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3411335054-1982420046-2118495756-1000\0f5007522459c86e95ffcc62f32308f1_e7a16734-7acf-4ca3-a39d-c3eddafc0513
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61