Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
Resource
win10v2004-20240508-en
General
-
Target
3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
-
Size
1020KB
-
MD5
3d45f52b9e27a0362ebb677fd499a64b
-
SHA1
79463be51ed767c9eee5be75ffba5d5dd8009249
-
SHA256
107a9cdd607a1299c8bc7bd48b038fe65b8db63d6ab907cb0bbadabfb56380ba
-
SHA512
8ec5275059a772744333ab1584581265c6b32890e1bc8431679643a0c91660a54bbd6095b537fb29aca4ed89dc0f30e9d882e6eb16da5c096fd12aff4973358a
-
SSDEEP
24576:6EVQ7nZFzpDEHSgMIk4mFUEZ4GOIft/1Qp9G:6EViRooF1bRl/y
Malware Config
Extracted
lokibot
http://paadasala.com.au/reg/home/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSI853E.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI853E.tmp Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI853E.tmp Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI853E.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSI853E.tmpdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" MSI853E.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI853E.tmpdescription pid process target process PID 4944 set thread context of 4828 4944 MSI853E.tmp MSI853E.tmp -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI84D0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI853E.tmp msiexec.exe File created C:\Windows\Installer\e578405.msi msiexec.exe File opened for modification C:\Windows\Installer\e578405.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI853E.tmpMSI853E.tmppid process 4944 MSI853E.tmp 4828 MSI853E.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000072b368a908c284c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000072b368a90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090072b368a9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d72b368a9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000072b368a900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3128 msiexec.exe 3128 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exeMSI853E.tmpdescription pid process Token: SeShutdownPrivilege 3896 msiexec.exe Token: SeIncreaseQuotaPrivilege 3896 msiexec.exe Token: SeSecurityPrivilege 3128 msiexec.exe Token: SeCreateTokenPrivilege 3896 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3896 msiexec.exe Token: SeLockMemoryPrivilege 3896 msiexec.exe Token: SeIncreaseQuotaPrivilege 3896 msiexec.exe Token: SeMachineAccountPrivilege 3896 msiexec.exe Token: SeTcbPrivilege 3896 msiexec.exe Token: SeSecurityPrivilege 3896 msiexec.exe Token: SeTakeOwnershipPrivilege 3896 msiexec.exe Token: SeLoadDriverPrivilege 3896 msiexec.exe Token: SeSystemProfilePrivilege 3896 msiexec.exe Token: SeSystemtimePrivilege 3896 msiexec.exe Token: SeProfSingleProcessPrivilege 3896 msiexec.exe Token: SeIncBasePriorityPrivilege 3896 msiexec.exe Token: SeCreatePagefilePrivilege 3896 msiexec.exe Token: SeCreatePermanentPrivilege 3896 msiexec.exe Token: SeBackupPrivilege 3896 msiexec.exe Token: SeRestorePrivilege 3896 msiexec.exe Token: SeShutdownPrivilege 3896 msiexec.exe Token: SeDebugPrivilege 3896 msiexec.exe Token: SeAuditPrivilege 3896 msiexec.exe Token: SeSystemEnvironmentPrivilege 3896 msiexec.exe Token: SeChangeNotifyPrivilege 3896 msiexec.exe Token: SeRemoteShutdownPrivilege 3896 msiexec.exe Token: SeUndockPrivilege 3896 msiexec.exe Token: SeSyncAgentPrivilege 3896 msiexec.exe Token: SeEnableDelegationPrivilege 3896 msiexec.exe Token: SeManageVolumePrivilege 3896 msiexec.exe Token: SeImpersonatePrivilege 3896 msiexec.exe Token: SeCreateGlobalPrivilege 3896 msiexec.exe Token: SeBackupPrivilege 3656 vssvc.exe Token: SeRestorePrivilege 3656 vssvc.exe Token: SeAuditPrivilege 3656 vssvc.exe Token: SeBackupPrivilege 3128 msiexec.exe Token: SeRestorePrivilege 3128 msiexec.exe Token: SeRestorePrivilege 3128 msiexec.exe Token: SeTakeOwnershipPrivilege 3128 msiexec.exe Token: SeRestorePrivilege 3128 msiexec.exe Token: SeTakeOwnershipPrivilege 3128 msiexec.exe Token: SeRestorePrivilege 3128 msiexec.exe Token: SeTakeOwnershipPrivilege 3128 msiexec.exe Token: SeBackupPrivilege 1624 srtasks.exe Token: SeRestorePrivilege 1624 srtasks.exe Token: SeSecurityPrivilege 1624 srtasks.exe Token: SeTakeOwnershipPrivilege 1624 srtasks.exe Token: SeBackupPrivilege 1624 srtasks.exe Token: SeRestorePrivilege 1624 srtasks.exe Token: SeSecurityPrivilege 1624 srtasks.exe Token: SeTakeOwnershipPrivilege 1624 srtasks.exe Token: SeRestorePrivilege 3128 msiexec.exe Token: SeTakeOwnershipPrivilege 3128 msiexec.exe Token: SeRestorePrivilege 3128 msiexec.exe Token: SeTakeOwnershipPrivilege 3128 msiexec.exe Token: SeDebugPrivilege 4828 MSI853E.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3896 msiexec.exe 3896 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
msiexec.exeMSI853E.tmpdescription pid process target process PID 3128 wrote to memory of 1624 3128 msiexec.exe srtasks.exe PID 3128 wrote to memory of 1624 3128 msiexec.exe srtasks.exe PID 3128 wrote to memory of 4944 3128 msiexec.exe MSI853E.tmp PID 3128 wrote to memory of 4944 3128 msiexec.exe MSI853E.tmp PID 3128 wrote to memory of 4944 3128 msiexec.exe MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp PID 4944 wrote to memory of 4828 4944 MSI853E.tmp MSI853E.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
MSI853E.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI853E.tmp -
outlook_win_path 1 IoCs
Processes:
MSI853E.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI853E.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Installer\MSI853E.tmp"C:\Windows\Installer\MSI853E.tmp"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI853E.tmp"C:\Windows\Installer\MSI853E.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e578408.rbsFilesize
663B
MD59f7ed9f25569119b6b9c85792aab61a4
SHA140ff3f0799e7bb7c181a119de923cec38fc92e10
SHA2569afea0f03672ad8729c76b0addb9f9e1d64cc8ee5b0dfa9b138d3408e920d5c1
SHA512a96e3a6722499778c02166d88e2812158ed1ef31907c4edf85f26d30937b0a09a8a0d28f4c4e7184a543d7c0cf81b36693e21dd86a08f68434f0d68795da482d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbdFilesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbdFilesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Windows\Installer\MSI853E.tmpFilesize
994KB
MD58a1840737ac22e0d30ac8cefa8520885
SHA1f79cb4602fa06c08a5631eda8a3164667565e28e
SHA256b24d48dc6a7c84b3350e86214059294f188bb9835d99bc8c9821e8a9018872d0
SHA512535321ab0c37c40a0d3192ec1e479064bfe9b74edccc8c8f304f8a9d663a13614ecf2eac3fe359c33c8294a4166ada6243603543b78ee53b0461eea2c6a2f913
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD57652e40fdf88a85dcc875934309bdec1
SHA1c608c23173ca31d71d2990f324fc44cd4a2f2e16
SHA256afab1ed4b0563e16b6b4666ceac102de4a361d9943455ffe510ea98669ce2d6e
SHA512ca3e7c3baa2dae75ec1d05656098281c0d4989a088e584914b1e3de4ecc41b82aecaad3770e4a80d4717768a5c3236c56b65a7af431e7ea2e5a16c5f8b604ce7
-
\??\Volume{a968b372-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{93a5a9a3-0bd3-4a78-8bc7-9190a7d1038a}_OnDiskSnapshotPropFilesize
6KB
MD5f10e941fb38ce26f5e263ff3d1bb777d
SHA1beec9e77cd4d2ef04498c17d529019cf78323afa
SHA2563c862c5dd802c7ce20292a3663fc8a2deb34dcfbca37fbd43a53d8c8881edd55
SHA5123e1ad2edd69155dc9cca9d457ec046498ced9d324921e4a30e49085b1ea3a29be26e5330b911b321f6bdb2e3ded8819aab30a664f41bb0d103deaf9c633a0dc6
-
memory/4828-19-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4828-79-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4828-22-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4944-13-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/4944-24-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/4944-18-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/4944-12-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/4944-14-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/4944-15-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB