locky_lukitus | 5bf84469051c85bd684e03eb46f774cb1e913884c95acf7b210a8a4469da8d9f

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe
Size

660KB
MD5

230606dd8b0d62e2a8a04ef61b2d8707
SHA1

5c50cdad090de913d0c87edeb392c8df1af9f5c3
SHA256

5bf84469051c85bd684e03eb46f774cb1e913884c95acf7b210a8a4469da8d9f
SHA512

188e08205a38730057c63753451784a499657380cb0384e7d7f9ed9b5c3d60aad8daeae47e125ab22fd23357920bfd79a69423c5f9d733269160a2a7331df77d
SSDEEP

12288:lMtWh23Ks1mQnWattmsbMVSH05SxQiEQ9jmE56:lMtP3p0RzYa+E

Score

10^/10

locky_lukitus ransomware

Malware Config

Signatures

Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
ransomware locky_lukitus

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\WallpaperStyle = "0"	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\TileWallpaper = "0"	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
4944	msedge.exe
4944	msedge.exe
3964	identity_helper.exe
3964	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 4944	2176	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe	105
PID 2176 wrote to memory of 4944	2176	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe	105
PID 4944 wrote to memory of 4920	4944	msedge.exe	106
PID 4944 wrote to memory of 4920	4944	msedge.exe	106
PID 2176 wrote to memory of 4100	2176	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe	107
PID 2176 wrote to memory of 4100	2176	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe	107
PID 2176 wrote to memory of 4100	2176	230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe	107
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 4600	4944	msedge.exe	109
PID 4944 wrote to memory of 2052	4944	msedge.exe	110
PID 4944 wrote to memory of 2052	4944	msedge.exe	110
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111
PID 4944 wrote to memory of 3764	4944	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lukitus.htm
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffcb0846f8,0x7fffcb084708,0x7fffcb084718
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:4600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:1488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
    3⤵
    PID:3388
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
    3⤵
    PID:1812
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:4152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763773949786878820,15903377528931462561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\230606dd8b0d62e2a8a04ef61b2d8707_JaffaCakes118.exe"
  2⤵
  PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b390a74bd9794958d3c7c5cd054a09c9

SHA1
0096e701bbb28d64a3f43a7d6f5c809a820bbf5f

SHA256
8a3d5693b53c7dabe7984a162b45656daac0b02caf2482e1a78d0282bae2547b

SHA512
fb63e042069b992c440a5165355b0826a7766f3e37bd84330b0c09f4b654c34ce1c0c561565dd7ec75b1da50b840164745aedaed3876603d085ce1769efa354d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
540040963999d5da3d30957977f4fe43

SHA1
16a0308373d58d4a1bb7cf1f0c1e98f27c774987

SHA256
19a151a53ede965c501e9545672932e0c4e72e210a8fa8ab6ede51fcdafc6b8b

SHA512
ffc366d787ef5f1339ccee72665d8dc812517b7e9e6b625332564e39f4c96c14772c68e6feda7fdf15e20779b7115bc4780c521d81f8069bbafccc245f6567e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0e16d620ec4ec829c1179f72c0a19547

SHA1
c5912d806f0c1c2cee0387b25b0342ce7a869118

SHA256
b5fb0f5f0172f424fbec23378c356ae1e1d028a278d5793fbc8036f3e2d0c9db

SHA512
21a0ad20010676c83bc1fe9ef6bf54ae433fe3966ef83ded2a45fdeb6b1af8a606766e3c66934dcb6cf40afaf582f8980a9a25c7173ea1c6d4a1236edf190a8d

Download Submit
C:\lukitus-2b38.htm

Filesize
8KB

MD5
efc88cdc917e9e6346b6192f0ac46993

SHA1
fcdc87e50b8d5cbb76d27e0a4cb5cdd4e137a39b

SHA256
f7a878373ccf321c368e4c2731f17da323668019797a6895fa2a57e05cbe5dd6

SHA512
ccf866fad2de898814a31f273d6f7f000d6904d2659e211e99bf40ecc2bfa3e9a884ef2bf042c17108faaced434cebfb75b0a7eed96511f27e8930664beeae37

Download Submit
memory/2176-2-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-9-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-317-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-8-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-7-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-5-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-0-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2176-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download