Overview
overview
10Static
static
346b674fd08...18.exe
windows7-x64
1046b674fd08...18.exe
windows10-2004-x64
10$APPDATA/3...ui.dll
windows7-x64
1$APPDATA/3...ui.dll
windows10-2004-x64
1$APPDATA/3...ui.dll
windows7-x64
1$APPDATA/3...ui.dll
windows10-2004-x64
1$APPDATA/i...60.dll
windows7-x64
1$APPDATA/i...60.dll
windows10-2004-x64
1$APPDATA/i...60.dll
windows7-x64
1$APPDATA/i...60.dll
windows10-2004-x64
1$APPDATA/i...60.dll
windows7-x64
1$APPDATA/i...60.dll
windows10-2004-x64
1$APPDATA/i...60.dll
windows7-x64
1$APPDATA/i...60.dll
windows10-2004-x64
1$APPDATA/i...er.dll
windows7-x64
1$APPDATA/i...er.dll
windows10-2004-x64
1$APPDATA/i...UI.dll
windows7-x64
1$APPDATA/i...UI.dll
windows10-2004-x64
1$APPDATA/i...wp.exe
windows7-x64
1$APPDATA/i...wp.exe
windows10-2004-x64
1$APPDATA/i...ty.dll
windows7-x64
1$APPDATA/i...ty.dll
windows10-2004-x64
1$APPDATA/i...ld.dll
windows7-x64
1$APPDATA/i...ld.dll
windows10-2004-x64
1$APPDATA/i...DC.dll
windows7-x64
1$APPDATA/i...DC.dll
windows10-2004-x64
1$APPDATA/m...60.dll
windows7-x64
1$APPDATA/m...60.dll
windows10-2004-x64
1$APPDATA/m...60.dll
windows7-x64
1$APPDATA/m...60.dll
windows10-2004-x64
1$APPDATA/m...ap.dll
windows7-x64
1$APPDATA/m...ap.dll
windows10-2004-x64
1Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$APPDATA/300/web_users/pkg/pgort80ui.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$APPDATA/300/web_users/pkg/pgort80ui.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$APPDATA/300/web_users/pkg/pgoui.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$APPDATA/300/web_users/pkg/pgoui.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$APPDATA/img2/it_IT/29.opends60.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$APPDATA/img2/it_IT/29.opends60.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$APPDATA/img2/it_IT/31.opends60.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$APPDATA/img2/it_IT/31.opends60.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$APPDATA/img2/it_IT/65.opends60.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$APPDATA/img2/it_IT/65.opends60.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$APPDATA/img2/it_IT/74.opends60.dll
Resource
win7-20240215-en
Behavioral task
behavioral14
Sample
$APPDATA/img2/it_IT/74.opends60.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
$APPDATA/img2/it_IT/MicrosoftVisualCVSCodeProvider.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$APPDATA/img2/it_IT/MicrosoftVisualCVSCodeProvider.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$APPDATA/img2/it_IT/ProjWizUI.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$APPDATA/img2/it_IT/ProjWizUI.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
$APPDATA/img2/it_IT/aspnetwp.exe
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
$APPDATA/img2/it_IT/aspnetwp.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
$APPDATA/img2/it_IT/extensibility.dll
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
$APPDATA/img2/it_IT/extensibility.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
$APPDATA/img2/it_IT/vcencbld.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
$APPDATA/img2/it_IT/vcencbld.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
$APPDATA/img2/it_IT/wbemDC.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$APPDATA/img2/it_IT/wbemDC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
$APPDATA/media/albums/26.opends60.dll
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
$APPDATA/media/albums/26.opends60.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral29
Sample
$APPDATA/media/albums/80.opends60.dll
Resource
win7-20240419-en
Behavioral task
behavioral30
Sample
$APPDATA/media/albums/80.opends60.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
$APPDATA/media/albums/ActiveSyncBootstrap.dll
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
$APPDATA/media/albums/ActiveSyncBootstrap.dll
Resource
win10v2004-20240508-en
General
-
Target
46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe
-
Size
364KB
-
MD5
46b674fd08c91d314f0f03c3a4f11b8f
-
SHA1
5fd81f98e511e67a3c0bbca16dcb7802f3a3308b
-
SHA256
14b23833a0069ece9c114d554b406c7f1da45fdcd910ecee37fbf0136aa09af2
-
SHA512
bbb93ecd4ca9bc9fd08f2fc73437647dfa2c2433c0349edf7ec8d091d428444090b4c7d178e6a55c62554393db987e906b16115c578d6b8deef317ea8b24e19b
-
SSDEEP
6144:/PCganNmYVTbqB4llElg0Jx14ur84IZZUdfh76OV9cpLkmSPxY/FYYkXmQObIKh7:VanggTw4Wgg1PA4mZUDmOzcpLvaxYwmH
Malware Config
Extracted
lokibot
http://remzclot.ga/etc/main/l09/ap0s/home.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4924 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cmd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cmd.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook cmd.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 4924 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 4924 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cmd.exedescription pid process Token: SeDebugPrivilege 1336 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exerundll32.exedescription pid process target process PID 656 wrote to memory of 4924 656 46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe rundll32.exe PID 656 wrote to memory of 4924 656 46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe rundll32.exe PID 656 wrote to memory of 4924 656 46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe rundll32.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe PID 4924 wrote to memory of 1336 4924 rundll32.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
cmd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cmd.exe -
outlook_win_path 1 IoCs
Processes:
cmd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46b674fd08c91d314f0f03c3a4f11b8f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe Antipodean,Uboats2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:3408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AnticlericalFilesize
148KB
MD5d167f2663a208cbe6f674b88ee8305e0
SHA1622b5c58bfb4ef7bc684a7d7a189a18f6943ff1d
SHA256cfd01cb839fe404f04775f8a4c018d6179b4ce7c9d9360e035f9e560c7c38920
SHA512ecbf19a28893c20b4d98cb81677b74c3569cf52a2dd8ca343ba60a5349ab572412fa6ade221c90fab72d616cff0f22a94e90e96f02296c24a7a4f0ed31601aae
-
C:\Users\Admin\AppData\Local\Temp\Antipodean.DLLFilesize
44KB
MD5d7a22a2ec4cc5e2c8cb1f82234009a16
SHA1d1eedeebce9b8f27a155e3d1977efa0475ad0111
SHA256717a23f32f01d6ea6e4760762d861930eda587b78ece86571670a87812237318
SHA512ccf67b25111892b7c0f9586178c4750159e20147f1016531c30863eeaf1b06e51d27c945b61d6cf0bdd23682129ea89ef9870620d2d2de0de2626ca456250a98
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
memory/1336-45-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmpFilesize
2.0MB
-
memory/1336-42-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1336-44-0x0000000000B70000-0x0000000000B76000-memory.dmpFilesize
24KB
-
memory/1336-43-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1336-52-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1336-96-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4924-41-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmpFilesize
2.0MB
-
memory/4924-40-0x00000000758C0000-0x0000000075923000-memory.dmpFilesize
396KB
-
memory/4924-50-0x0000000073E70000-0x0000000073F38000-memory.dmpFilesize
800KB
-
memory/4924-39-0x0000000073E70000-0x0000000073F38000-memory.dmpFilesize
800KB
-
memory/4924-38-0x0000000002820000-0x0000000002822000-memory.dmpFilesize
8KB