locky_lukitus | c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564

Analysis

max time kernel
145s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe
Size

520KB
MD5

3db3efc2a27e1edecdb08cf55c71484b
SHA1

cd4dbef36d10e3c2454396d6301d88c20e0a73c4
SHA256

c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564
SHA512

f0ae1517a0926bce5956aef7e3c369f1d4d811bd42a692114825e92384f4e4b488f8fea046443c1a9839d420ab0ae6d66beaa6fb00a42e35ba3e3239bfd73f66
SSDEEP

12288:zVRm47ugq9QLXzNWVn4Fkl6BQ2yLhxPtIS4GudgBXllbXtdj:zVzzzjNO4FkUQ2yL7PtIdGudqlb9dj

Score

10^/10

locky_lukitus ransomware

Malware Config

Signatures

Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
ransomware locky_lukitus

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "0"	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\TileWallpaper = "0"	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68D410F1-11A1-11EF-8698-5E73522EB9B5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2380	iexplore.exe
2392	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2380	iexplore.exe
2380	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2380	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	32
PID 2804 wrote to memory of 2380	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	32
PID 2804 wrote to memory of 2380	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	32
PID 2804 wrote to memory of 2380	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2376	2380	iexplore.exe	34
PID 2380 wrote to memory of 2376	2380	iexplore.exe	34
PID 2380 wrote to memory of 2376	2380	iexplore.exe	34
PID 2380 wrote to memory of 2376	2380	iexplore.exe	34
PID 2804 wrote to memory of 668	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	35
PID 2804 wrote to memory of 668	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	35
PID 2804 wrote to memory of 668	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	35
PID 2804 wrote to memory of 668	2804	3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\3db3efc2a27e1edecdb08cf55c71484b_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf3af6bfe0b145f63dd36f20c9829f35

SHA1
6c6eeca753e2a6fdeb24d0c3d498ab0ec5ed98d4

SHA256
326b2c337cdd4f0802283eeac35f347ae6afa1619447b3b3a33cb78501bd3c2e

SHA512
7a2410494bd9e8e5b853d4cdb6741ee5098c97dc66cf0c39b69f2c0d79089bf455a128aee317e9e2d6e7a74b3b008eac7673f186144097500b9d155e3ce9b6cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b1e06a7663f23af8d6ec3f30177caf3

SHA1
966025652718c7db766f5d06b46d82e43a5384d0

SHA256
9c4bbc14a9756b5685aafcfda19ebb79fd9ed66901c9b487d45cfb57df27e5ce

SHA512
000d6c291fa07767f8e5accb12a25d17166834c4837cb2d886a1e648d4044a0c6eced9494a4cb9ebaf49e997b01811348aa44467c3251e7c694d309c19be32f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de66438fea45080f2726e14ad9f7364d

SHA1
4799406873e21e73402bc82396012b7a0270c3d1

SHA256
f37e9c60bba8115830c6201c10dd709b71774453bb32e98e115ffef0eceeab62

SHA512
dc3aff6b47665c8a5e764ecf29a77348dad5ec8450303de208acd89f3b788538827dd4469c167f836e31360bf744933ff6d98932064f29d28dd66191afdc7ef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7abb284cf2031fac48dc122c6cb6e079

SHA1
bb602d936beecc13f04dc856209472589f444acc

SHA256
3613461d43ec47561820ac2fa06cf5af12cdde249d5af15ddf9a82fc1666d1a1

SHA512
6cb687a955c5affb638f93eae771da83fa49f8b0abad520985d7bed7ddbe495ddee134ea8eab741f3562c386e10f6ce899969212a731d09d1073729a4f3f95fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
166070235273cbf8401e2dc32d79ea62

SHA1
e967503ce8715094c3d5a028e1c57a710fb95aa7

SHA256
12eafa52941d7488e55d54fedf0cd45ac40618ff815d9015c8fd0740604738e2

SHA512
2963cab2643ef1dafeeaae403d63c7628e8f8c3ac4017488884be3722d027c8b044edeec424146fd4831a59a361a6ebae302d182374cea6025b49113be1401ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
234bb2f2dea3d9c918dbd5af373b49aa

SHA1
d0a2f5501c8816ce70f0a7b4ec5cac81c86089a5

SHA256
67a84c8650ac868e62ea537dc8adbe861a3558946f225fc77d2061195a0d7bb7

SHA512
7374d55ed003b3e802ff954c267f8161b52a94cc5e4c8e256b39675f2d74a96415b05ae60b6dbd55430e9c14431c555baeae7a745a8e4858ae2477b3523bf5e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1622a3eade7045c32646986047ccfe76

SHA1
e90f0c5ea591db161af74a19c957e6a3ca5b2149

SHA256
48c9453ea322d849a1c25bfb2048d0e78bc3ffe1becf3ea2245d2adf87e4f892

SHA512
d966004da17ab8cb39a0c24bf6f17ff0e03c25f5e135b40f51072b9ca32f194298a0e97ae6d554c8fe14039ee24e3b1091d174bd7230c23d721fac19812e465a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12759dac4576c0b1ec136a149e072435

SHA1
897c07b04ef575a700524f52b7609cc8c2ef3159

SHA256
cc07a909cedede756112eee375a9f4756a680bf9638b8b01a0baeaec79b067f8

SHA512
bc26ce9a06ad78f5f8f78bdf3359b1f3b37f702a9f0aca29ad42f7435dda732a344195d1c13d4a109385b7c5d99e1887019dcd54613796afb6af488944f3db8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2033cbfc26ad3cc4fe6d26d15c7967d

SHA1
cb2b37343a3078c25050aee1ca766de828beff25

SHA256
b82be52e20bef2a5bec2a29d5a465e1001c34d6afceff927594d05eb9d5d79ae

SHA512
e8bb409bcfb6ab0724a78d9fed342dc853f53046d270546f138997d128bfaf01d8295486693ef6d6837005cd8ae2fb21614c12277471988c754b5972d6a99419

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab66B1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar67F1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\Desktop\lukitus.bmp

Filesize
3.5MB

MD5
320d21ca72cce6467c5e791e9de443b1

SHA1
1feb627d7de4c9505596f69d775553fef062d0e9

SHA256
88cf2faf19755e9f7b4672a53b7f8885a83dbcb8f1aca0154468ad02adc96554

SHA512
adbea6beed0e66c0500e0dc30fb116e492193df523d0cf54170805f5695772c316f0288e9a9b462f8e85638a8341a3e542db3e4b332f94448ed1587df4ebc590

Download Submit
C:\Users\Admin\Desktop\lukitus.htm

Filesize
8KB

MD5
4426441ab2beadc3936ee04315fc20ef

SHA1
9f63d95b2ebc2140c5df02a757e081d6e794469c

SHA256
7ece474478fb0401fd16c2a5cfd964c0d3873820179e9acd4a0abcee445512f6

SHA512
b3067c98c81decc8a843513dfc9c689a9d2234dff133a8358c2606396b2d0ccf40958799a691db6f8aae290de97a4f111d65fc4b2fee51969f96228e762e0e86

Download Submit
memory/2392-274-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2392-273-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2392-750-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2804-272-0x0000000001E90000-0x0000000001E92000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads