Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 04:42
Static task
static1
Behavioral task
behavioral1
Sample
4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe
-
Size
861KB
-
MD5
4492d19d68954260f2e0107410b4ca29
-
SHA1
a868cf7984f82e26fc10042abd29d446fc00c60e
-
SHA256
27fb1f8b290ec2212af9f5b2cbe26bcad4def0b89b479734adc2ae6d1d4840f0
-
SHA512
0833b7e7e2ea47aaab5826fc8f9ecaa89ddb58ff21166bd223cffab837c358f1ef59df467b14476cbb8a68779f4e19dc447b6059c9b9c9b3b0d0fc401f3d4926
-
SSDEEP
12288:mfAv6B8azBwdmiX+tGAHwp3pmYSdlpfPfvdcG8RSQOQA1533a1VC74/7jXB2wRsg:0k6+c2dm2AQp3awPvOQ4K19Xx2WswMO
Malware Config
Extracted
lokibot
https://clotiahs.info/ret/four/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
DGHYTAXEL.exeDGHYTAXEL.exepid process 2828 DGHYTAXEL.exe 2496 DGHYTAXEL.exe -
Loads dropped DLL 4 IoCs
Processes:
4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exepid process 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DGHYTAXEL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DGHYTAXEL.exe Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DGHYTAXEL.exe Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DGHYTAXEL.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DGHYTAXEL.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\DGHYTA = "C:\\Users\\Admin\\AppData\\Local\\DGHYTA\\DGHYTAR.vbs" DGHYTAXEL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DGHYTAXEL.exedescription pid process target process PID 2828 set thread context of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DGHYTAXEL.exedescription pid process Token: SeDebugPrivilege 2496 DGHYTAXEL.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exeDGHYTAXEL.exedescription pid process target process PID 1668 wrote to memory of 2828 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe DGHYTAXEL.exe PID 1668 wrote to memory of 2828 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe DGHYTAXEL.exe PID 1668 wrote to memory of 2828 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe DGHYTAXEL.exe PID 1668 wrote to memory of 2828 1668 4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe PID 2828 wrote to memory of 2496 2828 DGHYTAXEL.exe DGHYTAXEL.exe -
outlook_office_path 1 IoCs
Processes:
DGHYTAXEL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DGHYTAXEL.exe -
outlook_win_path 1 IoCs
Processes:
DGHYTAXEL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DGHYTAXEL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe"C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe"C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
551KB
MD5a7f15ec22acd855aa0f008a1ede9688a
SHA18773f6cd77d0297a686b7f7fc857c0cc680581e2
SHA25653f4cbf86ef6136439800c083b8498d3aa20183bcb73bc671951c6727382817d
SHA5120b2af8e389861134fd0583dd596e38e03fcdbb80d144e3ac6164c3f51a77d08cfaf6f896890dd4ed2306ea7d902a6b4b4f4c8564669bf8d33906bd86f4551910
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\0f5007522459c86e95ffcc62f32308f1_84f733b4-eea8-4063-a7fc-81d3a2fcb37c
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\0f5007522459c86e95ffcc62f32308f1_84f733b4-eea8-4063-a7fc-81d3a2fcb37c
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
506KB
MD5ca414d650af68f3b5ac3033f2a1ed2c3
SHA1f175baa9a58f5916dfad551d63de1820d4f70abd
SHA256b3bc78937b756106c4c666b253f32c6af960f1639d0f804602ed52c7d7317004
SHA5123497a63f346f9063a7c1350b863aae236829de5dbe738445cbce6b5d5977a9b895b703d76f2fbc5899fe906a7eb048f5a25ba4511ed9c7d682e02ff746472834