Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 04:42

General

  • Target

    4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe

  • Size

    861KB

  • MD5

    4492d19d68954260f2e0107410b4ca29

  • SHA1

    a868cf7984f82e26fc10042abd29d446fc00c60e

  • SHA256

    27fb1f8b290ec2212af9f5b2cbe26bcad4def0b89b479734adc2ae6d1d4840f0

  • SHA512

    0833b7e7e2ea47aaab5826fc8f9ecaa89ddb58ff21166bd223cffab837c358f1ef59df467b14476cbb8a68779f4e19dc447b6059c9b9c9b3b0d0fc401f3d4926

  • SSDEEP

    12288:mfAv6B8azBwdmiX+tGAHwp3pmYSdlpfPfvdcG8RSQOQA1533a1VC74/7jXB2wRsg:0k6+c2dm2AQp3awPvOQ4K19Xx2WswMO

Malware Config

Extracted

Family

lokibot

C2

https://clotiahs.info/ret/four/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4492d19d68954260f2e0107410b4ca29_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe
      "C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe
        "C:\Users\Admin\AppData\Roaming\DGHYTAXEL.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DGHYTA.bmp

    Filesize

    551KB

    MD5

    a7f15ec22acd855aa0f008a1ede9688a

    SHA1

    8773f6cd77d0297a686b7f7fc857c0cc680581e2

    SHA256

    53f4cbf86ef6136439800c083b8498d3aa20183bcb73bc671951c6727382817d

    SHA512

    0b2af8e389861134fd0583dd596e38e03fcdbb80d144e3ac6164c3f51a77d08cfaf6f896890dd4ed2306ea7d902a6b4b4f4c8564669bf8d33906bd86f4551910

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\0f5007522459c86e95ffcc62f32308f1_84f733b4-eea8-4063-a7fc-81d3a2fcb37c

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\0f5007522459c86e95ffcc62f32308f1_84f733b4-eea8-4063-a7fc-81d3a2fcb37c

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • \Users\Admin\AppData\Roaming\DGHYTAXEL.exe

    Filesize

    506KB

    MD5

    ca414d650af68f3b5ac3033f2a1ed2c3

    SHA1

    f175baa9a58f5916dfad551d63de1820d4f70abd

    SHA256

    b3bc78937b756106c4c666b253f32c6af960f1639d0f804602ed52c7d7317004

    SHA512

    3497a63f346f9063a7c1350b863aae236829de5dbe738445cbce6b5d5977a9b895b703d76f2fbc5899fe906a7eb048f5a25ba4511ed9c7d682e02ff746472834

  • memory/2496-35-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-33-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-29-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-31-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-83-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-27-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-47-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-45-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-38-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2496-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2828-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2828-19-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2828-18-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

  • memory/2828-21-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB