Analysis
-
max time kernel
126s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe
-
Size
536KB
-
MD5
50429b6cb4ef0a6d29f292caa54f7295
-
SHA1
79a852f98f6b4e2ea1ef9353c77c18b1017355e8
-
SHA256
cbc35ecabbdbca204a8e095a878ead95ff71842493ec8365865c421b38861ee6
-
SHA512
2ccd788406d1c4ad56cee9d0386fedf6836273c908eae1fb23dcd6230413c7dfaa194d3fbbbb3c76343b13f2a8b64998e8a3aaa79f525f03789b78ecba1e05f6
-
SSDEEP
12288:8vpSsqzU5Ht1OSkVC8/QwQZkKIEamTJbiszTIX7yQO0B:8vosqg9t0SzSckKPNisXImQVB
Malware Config
Extracted
lokibot
http://sylvaclouds.eu/kendrick/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
project6982.exeproject6982.exepid process 2760 project6982.exe 2884 project6982.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2572 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
project6982.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook project6982.exe Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook project6982.exe Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook project6982.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
project6982.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Desktop\\project6982.exe -boot" project6982.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
project6982.exedescription pid process target process PID 2760 set thread context of 2884 2760 project6982.exe project6982.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exeproject6982.exeproject6982.exedescription pid process Token: SeDebugPrivilege 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe Token: SeDebugPrivilege 2760 project6982.exe Token: SeDebugPrivilege 2884 project6982.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.execmd.exeproject6982.exedescription pid process target process PID 2104 wrote to memory of 2716 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2104 wrote to memory of 2716 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2104 wrote to memory of 2716 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2104 wrote to memory of 2716 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2104 wrote to memory of 2572 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2104 wrote to memory of 2572 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2104 wrote to memory of 2572 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2104 wrote to memory of 2572 2104 50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe cmd.exe PID 2572 wrote to memory of 2760 2572 cmd.exe project6982.exe PID 2572 wrote to memory of 2760 2572 cmd.exe project6982.exe PID 2572 wrote to memory of 2760 2572 cmd.exe project6982.exe PID 2572 wrote to memory of 2760 2572 cmd.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe PID 2760 wrote to memory of 2884 2760 project6982.exe project6982.exe -
outlook_office_path 1 IoCs
Processes:
project6982.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook project6982.exe -
outlook_win_path 1 IoCs
Processes:
project6982.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook project6982.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\50429b6cb4ef0a6d29f292caa54f7295JaffaCakes118.exe" "C:\Users\Admin\Desktop\project6982.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Desktop\project6982.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\project6982.exe"C:\Users\Admin\Desktop\project6982.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\project6982.exe"C:\Users\Admin\Desktop\project6982.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\Desktop\project6982.exeFilesize
536KB
MD550429b6cb4ef0a6d29f292caa54f7295
SHA179a852f98f6b4e2ea1ef9353c77c18b1017355e8
SHA256cbc35ecabbdbca204a8e095a878ead95ff71842493ec8365865c421b38861ee6
SHA5122ccd788406d1c4ad56cee9d0386fedf6836273c908eae1fb23dcd6230413c7dfaa194d3fbbbb3c76343b13f2a8b64998e8a3aaa79f525f03789b78ecba1e05f6
-
memory/2104-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmpFilesize
4KB
-
memory/2104-1-0x0000000000DD0000-0x0000000000E60000-memory.dmpFilesize
576KB
-
memory/2104-2-0x00000000003B0000-0x00000000003FA000-memory.dmpFilesize
296KB
-
memory/2104-3-0x0000000000340000-0x000000000035E000-memory.dmpFilesize
120KB
-
memory/2104-4-0x0000000074A00000-0x00000000750EE000-memory.dmpFilesize
6.9MB
-
memory/2104-7-0x0000000074A00000-0x00000000750EE000-memory.dmpFilesize
6.9MB
-
memory/2760-11-0x00000000008F0000-0x0000000000980000-memory.dmpFilesize
576KB
-
memory/2884-12-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2884-14-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB