Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
Resource
win7-20240215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
Resource
win10v2004-20240508-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
-
Size
1020KB
-
MD5
3d45f52b9e27a0362ebb677fd499a64b
-
SHA1
79463be51ed767c9eee5be75ffba5d5dd8009249
-
SHA256
107a9cdd607a1299c8bc7bd48b038fe65b8db63d6ab907cb0bbadabfb56380ba
-
SHA512
8ec5275059a772744333ab1584581265c6b32890e1bc8431679643a0c91660a54bbd6095b537fb29aca4ed89dc0f30e9d882e6eb16da5c096fd12aff4973358a
-
SSDEEP
24576:6EVQ7nZFzpDEHSgMIk4mFUEZ4GOIft/1Qp9G:6EViRooF1bRl/y
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://paadasala.com.au/reg/home/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI346B.tmp Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI346B.tmp Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI346B.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" MSI346B.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2760 set thread context of 784 2760 MSI346B.tmp 35 -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f763363.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI343A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI346B.tmp msiexec.exe File opened for modification C:\Windows\Installer\f763363.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f763360.msi msiexec.exe File opened for modification C:\Windows\Installer\f763360.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2760 MSI346B.tmp 784 MSI346B.tmp -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2996 msiexec.exe 2996 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeShutdownPrivilege 2072 msiexec.exe Token: SeIncreaseQuotaPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeSecurityPrivilege 2996 msiexec.exe Token: SeCreateTokenPrivilege 2072 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2072 msiexec.exe Token: SeLockMemoryPrivilege 2072 msiexec.exe Token: SeIncreaseQuotaPrivilege 2072 msiexec.exe Token: SeMachineAccountPrivilege 2072 msiexec.exe Token: SeTcbPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeLoadDriverPrivilege 2072 msiexec.exe Token: SeSystemProfilePrivilege 2072 msiexec.exe Token: SeSystemtimePrivilege 2072 msiexec.exe Token: SeProfSingleProcessPrivilege 2072 msiexec.exe Token: SeIncBasePriorityPrivilege 2072 msiexec.exe Token: SeCreatePagefilePrivilege 2072 msiexec.exe Token: SeCreatePermanentPrivilege 2072 msiexec.exe Token: SeBackupPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeShutdownPrivilege 2072 msiexec.exe Token: SeDebugPrivilege 2072 msiexec.exe Token: SeAuditPrivilege 2072 msiexec.exe Token: SeSystemEnvironmentPrivilege 2072 msiexec.exe Token: SeChangeNotifyPrivilege 2072 msiexec.exe Token: SeRemoteShutdownPrivilege 2072 msiexec.exe Token: SeUndockPrivilege 2072 msiexec.exe Token: SeSyncAgentPrivilege 2072 msiexec.exe Token: SeEnableDelegationPrivilege 2072 msiexec.exe Token: SeManageVolumePrivilege 2072 msiexec.exe Token: SeImpersonatePrivilege 2072 msiexec.exe Token: SeCreateGlobalPrivilege 2072 msiexec.exe Token: SeBackupPrivilege 2544 vssvc.exe Token: SeRestorePrivilege 2544 vssvc.exe Token: SeAuditPrivilege 2544 vssvc.exe Token: SeBackupPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeLoadDriverPrivilege 2416 DrvInst.exe Token: SeLoadDriverPrivilege 2416 DrvInst.exe Token: SeLoadDriverPrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeDebugPrivilege 784 MSI346B.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2072 msiexec.exe 2072 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2760 2996 msiexec.exe 32 PID 2996 wrote to memory of 2760 2996 msiexec.exe 32 PID 2996 wrote to memory of 2760 2996 msiexec.exe 32 PID 2996 wrote to memory of 2760 2996 msiexec.exe 32 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 PID 2760 wrote to memory of 784 2760 MSI346B.tmp 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI346B.tmp -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI346B.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\Installer\MSI346B.tmp"C:\Windows\Installer\MSI346B.tmp"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Installer\MSI346B.tmp"C:\Windows\Installer\MSI346B.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:784
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "0000000000000598"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD5331df247a635fa64716de99dfea9b4b6
SHA1cf052b8359fd0887a55db1e22a6dab91d191f0fc
SHA256dc02d36ff19cd09428dd342ff6eacf173c3b8fab1a15d6a5ce0de69b90d8406c
SHA51226630d82f48a9ad489c61395b24d5980bd731d92affb021e906fd2ed419a5dc44aa6a9043f4b6e7f76a51f586a2a2ba838437f686b6eeb80f05d9c9be9993956
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
994KB
MD58a1840737ac22e0d30ac8cefa8520885
SHA1f79cb4602fa06c08a5631eda8a3164667565e28e
SHA256b24d48dc6a7c84b3350e86214059294f188bb9835d99bc8c9821e8a9018872d0
SHA512535321ab0c37c40a0d3192ec1e479064bfe9b74edccc8c8f304f8a9d663a13614ecf2eac3fe359c33c8294a4166ada6243603543b78ee53b0461eea2c6a2f913