Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 07:26
Static task
static1
Behavioral task
behavioral1
Sample
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe
-
Size
230KB
-
MD5
23ce2105091ff8f721ff05b5adea9473
-
SHA1
3d427b0c8f7165ef5966fb0b22a6bf8768638e6b
-
SHA256
da139240b18d550c7c38051e30bb83213e06273f1267ff5ac748e59ef9790bd6
-
SHA512
1d21bea08e470dc0ad5b6b5381151f949e1c0c4bb2adcb417d59150a821e168572102367b43c423d5eed88f7f496024fb50388126150a8dc2b2ad3356ced563c
-
SSDEEP
6144:iNe6CngtmMTiaYel88voZqJmwUlNRPo0tGUcqHuPz+Ng:iNBFXTqel88v0qgwUTFbTcSuau
Malware Config
Extracted
lokibot
https://lonqtek.com/eze/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.2w10zrud.lnk 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
app.exeapp.exepid process 1104 app.exe 4828 app.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 1104 set thread context of 4828 1104 app.exe app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exeapp.exedescription pid process Token: SeDebugPrivilege 2880 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe Token: SeDebugPrivilege 1104 app.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exepid process 2880 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exepid process 2880 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exeapp.exedescription pid process target process PID 2880 wrote to memory of 1104 2880 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe app.exe PID 2880 wrote to memory of 1104 2880 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe app.exe PID 2880 wrote to memory of 1104 2880 23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe PID 1104 wrote to memory of 4828 1104 app.exe app.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23ce2105091ff8f721ff05b5adea9473_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"3⤵
- Executes dropped EXE
PID:4828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exeFilesize
230KB
MD523ce2105091ff8f721ff05b5adea9473
SHA13d427b0c8f7165ef5966fb0b22a6bf8768638e6b
SHA256da139240b18d550c7c38051e30bb83213e06273f1267ff5ac748e59ef9790bd6
SHA5121d21bea08e470dc0ad5b6b5381151f949e1c0c4bb2adcb417d59150a821e168572102367b43c423d5eed88f7f496024fb50388126150a8dc2b2ad3356ced563c
-
memory/1104-16-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/1104-28-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/1104-22-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/1104-18-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/1104-17-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/2880-3-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/2880-4-0x0000000074BE2000-0x0000000074BE3000-memory.dmpFilesize
4KB
-
memory/2880-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmpFilesize
4KB
-
memory/2880-21-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/2880-2-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/2880-1-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/4828-25-0x0000000000780000-0x0000000000822000-memory.dmpFilesize
648KB