Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
Resource
win10v2004-20240508-en
General
-
Target
2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
-
Size
916KB
-
MD5
2e3794c246b2692357c84d67a63eee8a
-
SHA1
6e4831f1fff710b0b85db2284077d1babcfff07c
-
SHA256
e32e5feb177767ae1460812431ca445d2878a94d7730b75954787ae56f279c90
-
SHA512
1830636041c17abe43ebbeac806176177a3c3e509c9b7bc1b66166c14ccf42f82743f73edabd19be729b0b09a31736e149c16962f1c36fc273223a7c58a6f5f0
-
SSDEEP
12288:xEm8Elt9sHIoUJWgt46eeZZJEIdHH4hiXmVOJ8Ah3yUr2:xEytTQgtl7ZZGiHqi2omA
Malware Config
Extracted
lokibot
http://31.220.2.120/~jhjgr/wp/wp-admin/includes/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSI981A.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI981A.tmp Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI981A.tmp Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI981A.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI981A.tmpdescription pid process target process PID 4284 set thread context of 3012 4284 MSI981A.tmp MSI981A.tmp -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI97BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI981A.tmp msiexec.exe File created C:\Windows\Installer\e579700.msi msiexec.exe File opened for modification C:\Windows\Installer\e579700.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI981A.tmpMSI981A.tmppid process 4284 MSI981A.tmp 3012 MSI981A.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1796 msiexec.exe 1796 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeMSI981A.tmpsrtasks.exedescription pid process Token: SeShutdownPrivilege 5012 msiexec.exe Token: SeIncreaseQuotaPrivilege 5012 msiexec.exe Token: SeSecurityPrivilege 1796 msiexec.exe Token: SeCreateTokenPrivilege 5012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5012 msiexec.exe Token: SeLockMemoryPrivilege 5012 msiexec.exe Token: SeIncreaseQuotaPrivilege 5012 msiexec.exe Token: SeMachineAccountPrivilege 5012 msiexec.exe Token: SeTcbPrivilege 5012 msiexec.exe Token: SeSecurityPrivilege 5012 msiexec.exe Token: SeTakeOwnershipPrivilege 5012 msiexec.exe Token: SeLoadDriverPrivilege 5012 msiexec.exe Token: SeSystemProfilePrivilege 5012 msiexec.exe Token: SeSystemtimePrivilege 5012 msiexec.exe Token: SeProfSingleProcessPrivilege 5012 msiexec.exe Token: SeIncBasePriorityPrivilege 5012 msiexec.exe Token: SeCreatePagefilePrivilege 5012 msiexec.exe Token: SeCreatePermanentPrivilege 5012 msiexec.exe Token: SeBackupPrivilege 5012 msiexec.exe Token: SeRestorePrivilege 5012 msiexec.exe Token: SeShutdownPrivilege 5012 msiexec.exe Token: SeDebugPrivilege 5012 msiexec.exe Token: SeAuditPrivilege 5012 msiexec.exe Token: SeSystemEnvironmentPrivilege 5012 msiexec.exe Token: SeChangeNotifyPrivilege 5012 msiexec.exe Token: SeRemoteShutdownPrivilege 5012 msiexec.exe Token: SeUndockPrivilege 5012 msiexec.exe Token: SeSyncAgentPrivilege 5012 msiexec.exe Token: SeEnableDelegationPrivilege 5012 msiexec.exe Token: SeManageVolumePrivilege 5012 msiexec.exe Token: SeImpersonatePrivilege 5012 msiexec.exe Token: SeCreateGlobalPrivilege 5012 msiexec.exe Token: SeBackupPrivilege 1688 vssvc.exe Token: SeRestorePrivilege 1688 vssvc.exe Token: SeAuditPrivilege 1688 vssvc.exe Token: SeBackupPrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeDebugPrivilege 3012 MSI981A.tmp Token: SeBackupPrivilege 2808 srtasks.exe Token: SeRestorePrivilege 2808 srtasks.exe Token: SeSecurityPrivilege 2808 srtasks.exe Token: SeTakeOwnershipPrivilege 2808 srtasks.exe Token: SeBackupPrivilege 2808 srtasks.exe Token: SeRestorePrivilege 2808 srtasks.exe Token: SeSecurityPrivilege 2808 srtasks.exe Token: SeTakeOwnershipPrivilege 2808 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 5012 msiexec.exe 5012 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
msiexec.exeMSI981A.tmpdescription pid process target process PID 1796 wrote to memory of 2808 1796 msiexec.exe srtasks.exe PID 1796 wrote to memory of 2808 1796 msiexec.exe srtasks.exe PID 1796 wrote to memory of 4284 1796 msiexec.exe MSI981A.tmp PID 1796 wrote to memory of 4284 1796 msiexec.exe MSI981A.tmp PID 1796 wrote to memory of 4284 1796 msiexec.exe MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp PID 4284 wrote to memory of 3012 4284 MSI981A.tmp MSI981A.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
MSI981A.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI981A.tmp -
outlook_win_path 1 IoCs
Processes:
MSI981A.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI981A.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\Installer\MSI981A.tmp"C:\Windows\Installer\MSI981A.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\Installer\MSI981A.tmp"C:\Windows\Installer\MSI981A.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3012
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e579703.rbsFilesize
663B
MD5e93f5fd5adf65e4bf272069b1f9bee1c
SHA1be47a30bb0d371e9f4fe2e5f43c959c917c86dc9
SHA256542c21a26418c8f6b2c4c8d5c67c729120e4b82bf915aea688a6d12ce1b39eaf
SHA5129f0fe0bd8cadf234936825260fc0a0ad29bd1aeea653d6970f7d71fac265446b6efa474d33b52b2539951b0c057e1834dfa81fbeb79c287a11f468e4b8b1bfe0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Windows\Installer\MSI981A.tmpFilesize
891KB
MD5e3f06e6c77dcf456ed90180f5119e060
SHA1c858224a8f75f824d37428a490d5862e8ba37d22
SHA256ab5eefc8c8cdb7158efbaccfeb8862c7ff9471346614d8c55de29f908ebe9639
SHA512b65cb035b8a1cf80771d76a385f71da8f3d5edb2c4055d0732fc2ad74680af2c363b3229bca799b44825d4aeddcfacefe1cf12148e035a2aee4c71e5a41a5d2d
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD5580d6059fcc86b4681fa4167de51ff5c
SHA19af842d0e12796cf86ae5f808f4aff23d4f29226
SHA25656010fb47fbd84bc62a717b80ff115d227b5ab9e01ffd8b71ef44de8367e8891
SHA512548e99ab2e9a426cb413efa147e591dd22b7aa07e9b00b2da0100713e9574cc0fdbffa1650a6a1206ebdb919aa543ba5d18f0dea69af2fb17650937beea438b7
-
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{281a3dd6-aa20-48f7-abc5-e964bd963d92}_OnDiskSnapshotPropFilesize
6KB
MD55510fc7702921f64fac7d924b9c1600c
SHA1d4a769b78d02ccf093047a9edd7a97d74939a1fe
SHA2567e63cab466beaadadf5fcf969a8d4e999a6aa09f37302dbb87a0da06447f4ff1
SHA512945856e0a75bfe2ed9dfba2d902379cddd83b3f48f02ee1cedb36b9bb56c0661f968185b826efa5f299745f39fb264516a0d0dd6feb30f1d08628e4814921946
-
memory/3012-18-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3012-13-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3012-14-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3012-48-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3012-16-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3012-12-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3012-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB