Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 15:41
Static task
static1
Behavioral task
behavioral1
Sample
258c60b279a8debef184b5c01766604f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
258c60b279a8debef184b5c01766604f_JaffaCakes118.exe
-
Size
280KB
-
MD5
258c60b279a8debef184b5c01766604f
-
SHA1
011f5dda5f08ac9f3ec5723ce3d54ad738f8a367
-
SHA256
20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9
-
SHA512
50d90c2eedbf941d6e38ab8274b11654bcf8b613c8aa03ba10fcc9a4ef29551ed88f47d21bb12c11648e7524a8d1fe73c11e0c8864d01b8c9fe0773952e5c313
-
SSDEEP
6144:72j756oaGYq2ygcOCJPExIn52TO18L63E4xK:yj09ygcOQZ5iO1u38K
Malware Config
Extracted
lokibot
http://arenamedia.co.ke/include/dbes/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
nanocore
1.2.2.0
dbesth1.ddns.net:3455
154.16.220.30:3455
3cea4056-063b-4394-b13d-4dc863235987
-
activate_away_mode
true
-
backup_connection_host
154.16.220.30
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-04-10T23:16:59.261349436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3455
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3cea4056-063b-4394-b13d-4dc863235987
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dbesth1.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
personalLokiraw.exeNEWNANORAWFILE.exepid process 2632 personalLokiraw.exe 2708 NEWNANORAWFILE.exe -
Loads dropped DLL 8 IoCs
Processes:
RegAsm.exepid process 1012 RegAsm.exe 1012 RegAsm.exe 1012 RegAsm.exe 1012 RegAsm.exe 1012 RegAsm.exe 1012 RegAsm.exe 1012 RegAsm.exe 1012 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
personalLokiraw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook personalLokiraw.exe Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook personalLokiraw.exe Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook personalLokiraw.exe -
Processes:
NEWNANORAWFILE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEWNANORAWFILE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
258c60b279a8debef184b5c01766604f_JaffaCakes118.exedescription pid process target process PID 2168 set thread context of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
NEWNANORAWFILE.exepid process 2708 NEWNANORAWFILE.exe 2708 NEWNANORAWFILE.exe 2708 NEWNANORAWFILE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NEWNANORAWFILE.exepid process 2708 NEWNANORAWFILE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEWNANORAWFILE.exepersonalLokiraw.exedescription pid process Token: SeDebugPrivilege 2708 NEWNANORAWFILE.exe Token: SeDebugPrivilege 2632 personalLokiraw.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
258c60b279a8debef184b5c01766604f_JaffaCakes118.exeRegAsm.exedescription pid process target process PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 2168 wrote to memory of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe PID 1012 wrote to memory of 2632 1012 RegAsm.exe personalLokiraw.exe PID 1012 wrote to memory of 2632 1012 RegAsm.exe personalLokiraw.exe PID 1012 wrote to memory of 2632 1012 RegAsm.exe personalLokiraw.exe PID 1012 wrote to memory of 2632 1012 RegAsm.exe personalLokiraw.exe PID 1012 wrote to memory of 2708 1012 RegAsm.exe NEWNANORAWFILE.exe PID 1012 wrote to memory of 2708 1012 RegAsm.exe NEWNANORAWFILE.exe PID 1012 wrote to memory of 2708 1012 RegAsm.exe NEWNANORAWFILE.exe PID 1012 wrote to memory of 2708 1012 RegAsm.exe NEWNANORAWFILE.exe -
outlook_office_path 1 IoCs
Processes:
personalLokiraw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook personalLokiraw.exe -
outlook_win_path 1 IoCs
Processes:
personalLokiraw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook personalLokiraw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\258c60b279a8debef184b5c01766604f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\258c60b279a8debef184b5c01766604f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\personalLokiraw.exe"C:\Users\Admin\AppData\Local\Temp\personalLokiraw.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\NEWNANORAWFILE.exe"C:\Users\Admin\AppData\Local\Temp\NEWNANORAWFILE.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NEWNANORAWFILE.exeFilesize
202KB
MD59166f23c199bda8b6ece839f025935c4
SHA16afb426b23e941334c3b4c3600f9869614d9066b
SHA256d90ed34f5755bfcc7c8b1d6d1094aeacfb90bd4a0e5fe0cbe6e8ec4fdf5b699e
SHA512d1d3bb5a5db7b93a053b173942be4f0d1f950ec431b90c405556764f5811b2b8381bfdcd2d4fff2295a3d61c494b3a18611b78b0a5925ef7b978f62feb31b70b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41eFilesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41eFilesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
\Users\Admin\AppData\Local\Temp\personalLokiraw.exeFilesize
104KB
MD5534fc86a04f5c637c6dd6925eee11ab4
SHA140992c472e6de00108dae6235b027a70113e190c
SHA256db74dcbdae244181006c2e4d2243b209fd042641cc5d9f1fd994dd3a6a74b0f0
SHA51281d3f58c84cc37307bea4bda49971753c746e78fb14138e5c46ca20c3a6673c060116b9db1a302e14307588849313e3b738df3d592b6f65de05c2e6f7c50a03c
-
memory/1012-46-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1012-16-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1012-7-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1012-13-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1012-11-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1012-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1012-3-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1012-5-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2168-15-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/2168-0-0x0000000074531000-0x0000000074532000-memory.dmpFilesize
4KB
-
memory/2168-2-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/2168-1-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/2632-91-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB