Analysis
-
max time kernel
129s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 09:06
Static task
static1
Behavioral task
behavioral1
Sample
2423f7f4760abde3ea56dc0fe3c2ca64_JaffaCakes118.msi
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2423f7f4760abde3ea56dc0fe3c2ca64_JaffaCakes118.msi
Resource
win10v2004-20240419-en
General
-
Target
2423f7f4760abde3ea56dc0fe3c2ca64_JaffaCakes118.msi
-
Size
336KB
-
MD5
2423f7f4760abde3ea56dc0fe3c2ca64
-
SHA1
c6355248b01b1257f61c0fba4d4f2e3302a1ebcf
-
SHA256
a4f95f33320c2520836f546c933cdb167943aa51e8ee7001f72e9adbaf442fe4
-
SHA512
6192745ba233057508c3f65134a04be1f4f2fc8b0f1f273bcda7de43126c14cb43711318210cddde0fd2f0af3e4414c798863fb75ccd8266e6541b7296160342
-
SSDEEP
3072:zEbCnCdktWk9hvJls5fPzBRvwbEn5OiWzWq6tC:zEupxhiHzB2o0iC6
Malware Config
Extracted
lokibot
http://www.crownventureintl.com/wip-admin/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI2EA1.tmpdescription pid process target process PID 292 set thread context of 3020 292 MSI2EA1.tmp RegAsm.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\f762d19.msi msiexec.exe File opened for modification C:\Windows\Installer\f762d19.msi msiexec.exe File created C:\Windows\Installer\f762d1c.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI2E60.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2EA1.tmp msiexec.exe File opened for modification C:\Windows\Installer\f762d1c.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI2EA1.tmppid process 292 MSI2EA1.tmp -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1984 msiexec.exe 1984 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exeRegAsm.exedescription pid process Token: SeShutdownPrivilege 2212 msiexec.exe Token: SeIncreaseQuotaPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeSecurityPrivilege 1984 msiexec.exe Token: SeCreateTokenPrivilege 2212 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2212 msiexec.exe Token: SeLockMemoryPrivilege 2212 msiexec.exe Token: SeIncreaseQuotaPrivilege 2212 msiexec.exe Token: SeMachineAccountPrivilege 2212 msiexec.exe Token: SeTcbPrivilege 2212 msiexec.exe Token: SeSecurityPrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeLoadDriverPrivilege 2212 msiexec.exe Token: SeSystemProfilePrivilege 2212 msiexec.exe Token: SeSystemtimePrivilege 2212 msiexec.exe Token: SeProfSingleProcessPrivilege 2212 msiexec.exe Token: SeIncBasePriorityPrivilege 2212 msiexec.exe Token: SeCreatePagefilePrivilege 2212 msiexec.exe Token: SeCreatePermanentPrivilege 2212 msiexec.exe Token: SeBackupPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeShutdownPrivilege 2212 msiexec.exe Token: SeDebugPrivilege 2212 msiexec.exe Token: SeAuditPrivilege 2212 msiexec.exe Token: SeSystemEnvironmentPrivilege 2212 msiexec.exe Token: SeChangeNotifyPrivilege 2212 msiexec.exe Token: SeRemoteShutdownPrivilege 2212 msiexec.exe Token: SeUndockPrivilege 2212 msiexec.exe Token: SeSyncAgentPrivilege 2212 msiexec.exe Token: SeEnableDelegationPrivilege 2212 msiexec.exe Token: SeManageVolumePrivilege 2212 msiexec.exe Token: SeImpersonatePrivilege 2212 msiexec.exe Token: SeCreateGlobalPrivilege 2212 msiexec.exe Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe Token: SeBackupPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1816 DrvInst.exe Token: SeRestorePrivilege 1816 DrvInst.exe Token: SeRestorePrivilege 1816 DrvInst.exe Token: SeRestorePrivilege 1816 DrvInst.exe Token: SeRestorePrivilege 1816 DrvInst.exe Token: SeRestorePrivilege 1816 DrvInst.exe Token: SeRestorePrivilege 1816 DrvInst.exe Token: SeLoadDriverPrivilege 1816 DrvInst.exe Token: SeLoadDriverPrivilege 1816 DrvInst.exe Token: SeLoadDriverPrivilege 1816 DrvInst.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeDebugPrivilege 3020 RegAsm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2212 msiexec.exe 2212 msiexec.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
msiexec.exeMSI2EA1.tmpdescription pid process target process PID 1984 wrote to memory of 292 1984 msiexec.exe MSI2EA1.tmp PID 1984 wrote to memory of 292 1984 msiexec.exe MSI2EA1.tmp PID 1984 wrote to memory of 292 1984 msiexec.exe MSI2EA1.tmp PID 1984 wrote to memory of 292 1984 msiexec.exe MSI2EA1.tmp PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe PID 292 wrote to memory of 3020 292 MSI2EA1.tmp RegAsm.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2423f7f4760abde3ea56dc0fe3c2ca64_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2212
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\Installer\MSI2EA1.tmp"C:\Windows\Installer\MSI2EA1.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3020
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000564" "00000000000005B0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD59c73bdc620d46531506dae267e228918
SHA196388d51de581a03a513ea9e3f0736ea91034418
SHA256d83f5bed83cc858c5419accb94b8d4fd106537ca1a7cabeb28a7aa2eeb16dc64
SHA5128f3b1aa48d906a8fdb420e36304481ff6d49897e26f03ca335c89907e21279734c84a9ce159e7c0a3f162149a372a739ef236ebeea55b61328c0ec173cd3e098
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
312KB
MD5380c2ebcc1fa3d10ddb5edf6a9750aea
SHA10dc0b21d36c6edda592f3654a7819d03680defa7
SHA256234b350d9cb211ec3d444efa5c03bfa0c04a38cf2cd63bfa309b1ce88567f2b7
SHA512c670bc53d9d8f8adc38429ecfc374326bbd689cbe420a381327eedcf1fd584fe0fa6f6034263b93e55bda9f71922559ac5553d5e6c42735d26c4788028a76834