Overview

overview

10

Static

static

1

2e3794c246...18.msi

windows7-x64

10

2e3794c246...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi

  • Size

    916KB

  • MD5

    2e3794c246b2692357c84d67a63eee8a

  • SHA1

    6e4831f1fff710b0b85db2284077d1babcfff07c

  • SHA256

    e32e5feb177767ae1460812431ca445d2878a94d7730b75954787ae56f279c90

  • SHA512

    1830636041c17abe43ebbeac806176177a3c3e509c9b7bc1b66166c14ccf42f82743f73edabd19be729b0b09a31736e149c16962f1c36fc273223a7c58a6f5f0

  • SSDEEP

    12288:xEm8Elt9sHIoUJWgt46eeZZJEIdHH4hiXmVOJ8Ah3yUr2:xEytTQgtl7ZZGiHqi2omA

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://31.220.2.120/~jhjgr/wp/wp-admin/includes/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1768
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\Installer\MSI3729.tmp
      "C:\Windows\Installer\MSI3729.tmp"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\Installer\MSI3729.tmp
        "C:\Windows\Installer\MSI3729.tmp"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2236
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000003DC" "000000000000057C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f763641.rbs
    Filesize

    663B

    MD5

    c45fc7f11389a3c63bed973f0f866168

    SHA1

    34979bd902364e899f362cb2ced76a19c325814c

    SHA256

    0ea05b551949a67412685caa51df385b0a6cf234c198fc9187cfaa5259343cf1

    SHA512

    81a5eeac5c2149ea6a4715bd1163df6d078af9aeb3a51f7ae1d10e2987ea2649807eff5fea7c3919591726199270a4efaac7175870f06bd21e1d2c27b1e72eda

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit
  • C:\Windows\Installer\MSI3729.tmp
    Filesize

    891KB

    MD5

    e3f06e6c77dcf456ed90180f5119e060

    SHA1

    c858224a8f75f824d37428a490d5862e8ba37d22

    SHA256

    ab5eefc8c8cdb7158efbaccfeb8862c7ff9471346614d8c55de29f908ebe9639

    SHA512

    b65cb035b8a1cf80771d76a385f71da8f3d5edb2c4055d0732fc2ad74680af2c363b3229bca799b44825d4aeddcfacefe1cf12148e035a2aee4c71e5a41a5d2d

    Download Submit
  • memory/2828-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2828-25-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-15-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-22-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-19-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-28-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-32-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-17-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-61-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2828-79-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download