Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
566c2c6c5c45306f03831e2c656267ec_JaffaCakes118.rtf
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
566c2c6c5c45306f03831e2c656267ec_JaffaCakes118.rtf
Resource
win10v2004-20240426-en
General
-
Target
566c2c6c5c45306f03831e2c656267ec_JaffaCakes118.rtf
-
Size
1.5MB
-
MD5
566c2c6c5c45306f03831e2c656267ec
-
SHA1
689b81989a8bffcc5674f9389fd233348be46f08
-
SHA256
329c3b1c04a4b64aa1f20adf2d8df0d409a0d8e816acf3f29e497d3b1946808b
-
SHA512
7e2e028c86fbd6287a1db1a63e6516047fc69d7fad65f7abe41093bc27fe674e93aad9590ba72a28b457d1d9c0393954af54d5e2264f6a6bf0b091c49c496c95
-
SSDEEP
24576:pd6qlMEjK59o/Uv9IXvaVojYaT5bDbZUgtUfLznefTHLtpxQrUjDuZ4O:y
Malware Config
Extracted
lokibot
http://gavrelssimonskype.su/wp/web-obtain/css/log/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1604 2076 cmd.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2704 2076 cmd.exe WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
saver.scrpid process 1488 saver.scr -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2680 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
saver.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook saver.scr Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook saver.scr Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook saver.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2572 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2744 taskkill.exe -
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\appdata\local\temp\hondi.cmd:Zone.Identifier cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2076 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exesaver.scrdescription pid process Token: SeDebugPrivilege 2744 taskkill.exe Token: SeDebugPrivilege 1488 saver.scr -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXEsaver.scrpid process 2076 WINWORD.EXE 2076 WINWORD.EXE 1488 saver.scr 1488 saver.scr 1488 saver.scr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2076 wrote to memory of 1604 2076 WINWORD.EXE cmd.exe PID 2076 wrote to memory of 1604 2076 WINWORD.EXE cmd.exe PID 2076 wrote to memory of 1604 2076 WINWORD.EXE cmd.exe PID 2076 wrote to memory of 1604 2076 WINWORD.EXE cmd.exe PID 1604 wrote to memory of 2604 1604 cmd.exe cmd.exe PID 1604 wrote to memory of 2604 1604 cmd.exe cmd.exe PID 1604 wrote to memory of 2604 1604 cmd.exe cmd.exe PID 1604 wrote to memory of 2604 1604 cmd.exe cmd.exe PID 2604 wrote to memory of 2680 2604 cmd.exe cmd.exe PID 2604 wrote to memory of 2680 2604 cmd.exe cmd.exe PID 2604 wrote to memory of 2680 2604 cmd.exe cmd.exe PID 2604 wrote to memory of 2680 2604 cmd.exe cmd.exe PID 2076 wrote to memory of 2704 2076 WINWORD.EXE cmd.exe PID 2076 wrote to memory of 2704 2076 WINWORD.EXE cmd.exe PID 2076 wrote to memory of 2704 2076 WINWORD.EXE cmd.exe PID 2076 wrote to memory of 2704 2076 WINWORD.EXE cmd.exe PID 2680 wrote to memory of 2572 2680 cmd.exe timeout.exe PID 2680 wrote to memory of 2572 2680 cmd.exe timeout.exe PID 2680 wrote to memory of 2572 2680 cmd.exe timeout.exe PID 2680 wrote to memory of 2572 2680 cmd.exe timeout.exe PID 2704 wrote to memory of 2708 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 2708 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 2708 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 2708 2704 cmd.exe cmd.exe PID 2680 wrote to memory of 2744 2680 cmd.exe taskkill.exe PID 2680 wrote to memory of 2744 2680 cmd.exe taskkill.exe PID 2680 wrote to memory of 2744 2680 cmd.exe taskkill.exe PID 2680 wrote to memory of 2744 2680 cmd.exe taskkill.exe PID 2680 wrote to memory of 2468 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2468 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2468 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2468 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2480 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2480 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2480 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2480 2680 cmd.exe cmd.exe PID 2480 wrote to memory of 2532 2480 cmd.exe reg.exe PID 2480 wrote to memory of 2532 2480 cmd.exe reg.exe PID 2480 wrote to memory of 2532 2480 cmd.exe reg.exe PID 2480 wrote to memory of 2532 2480 cmd.exe reg.exe PID 2680 wrote to memory of 1904 2680 cmd.exe reg.exe PID 2680 wrote to memory of 1904 2680 cmd.exe reg.exe PID 2680 wrote to memory of 1904 2680 cmd.exe reg.exe PID 2680 wrote to memory of 1904 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2924 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2924 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2924 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2924 2680 cmd.exe cmd.exe PID 2924 wrote to memory of 2920 2924 cmd.exe reg.exe PID 2924 wrote to memory of 2920 2924 cmd.exe reg.exe PID 2924 wrote to memory of 2920 2924 cmd.exe reg.exe PID 2924 wrote to memory of 2920 2924 cmd.exe reg.exe PID 2680 wrote to memory of 2240 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2240 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2240 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2240 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2932 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2932 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2932 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 2932 2680 cmd.exe cmd.exe PID 2932 wrote to memory of 2180 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2180 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2180 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2180 2932 cmd.exe reg.exe -
outlook_office_path 1 IoCs
Processes:
saver.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook saver.scr -
outlook_win_path 1 IoCs
Processes:
saver.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook saver.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\566c2c6c5c45306f03831e2c656267ec_JaffaCakes118.rtf"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\DqFm.cMD"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCmD3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\appdata\local\temp\hondi.cmD4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 15⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASkKILL /F /IM winword.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Users\Admin\AppData\Local\Temp\saver.scr"C:\Users\Admin\AppData\Local\Temp\saver.scr"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\DqFm.cMD"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCmD3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DqFm.cMDFilesize
269B
MD53349aa74c60a95fb4245770fed418b19
SHA1875ba744ecbdf720bbe7e4f19954abab32598d6e
SHA2567228f7d55c4987a313c6e5964c46ccb971a8917d69b425e77dedc01fad72dac2
SHA5128a7c2ef779ca97050a3e6aede13dc0a7642268297790d01c925ce23062c6c8d0eff579372e2590c7b17df0d45c00ac38b53ddba93e810849aa2505313168816e
-
C:\Users\Admin\AppData\Local\Temp\trbatehtqevyay.ScTFilesize
600B
MD5c6c111eecb55022728ef0c1515ee0bd6
SHA104789ed7a7262e8056844631ef9e699571569adb
SHA25684d50947fe24b9147835e0e7255d801b172416c817afa6b0d7b9c455124b6b60
SHA51270cc78fb397facae2031518a84daf6c1540c85928fc065593bb925276e5f6f8282b1965655c3ae9bb60abbd5d8b566839e8205e24ba46f077223a409d15b41d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-481678230-3773327859-3495911762-1000\0f5007522459c86e95ffcc62f32308f1_62d00eb3-39d9-4013-96e4-e92894ec756eFilesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-481678230-3773327859-3495911762-1000\0f5007522459c86e95ffcc62f32308f1_62d00eb3-39d9-4013-96e4-e92894ec756eFilesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\appData\loCal\TeMp\gondi.docFilesize
31KB
MD5df778726a0f7ffeaa9fc16826f77a946
SHA13b4bac8f09cf2d9227c3143aa33ee7b6c1a2cc0c
SHA256a52fad09e1fb5e5c5532b8a9130c4f99ddbebbfb15ba416e67069866e1b5b3da
SHA5125d5525b61cce9fc6f806c8d666d291e74915aeac20d7fd937c6d0fab9cefc4287ccdc539dd34b017c9abc6f38c87e9244b0c85a54b3fbe83da885334b1f63215
-
C:\Users\Admin\appdata\local\temp\hondi.cmd:Zone.IdentifierMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\saver.scrFilesize
660KB
MD5d9bb08e8aea8377d26b34270ecbbb611
SHA138f1d28a6b86eed59539124d73363db68e1b94c1
SHA256e91aa8a1ca313c56a0d9cfb2de41006f82098bfd2c81507a4e7bb6417fe2cdc0
SHA512b32457f405f836fe11f350910bad9491b6dc43446996724e0491cbbf4baf9a4fc85e2cb40fdfa1479ff262edc5de4f64c3c115a76af907f8d101bed45e003905
-
memory/1488-41-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1488-82-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/2076-36-0x000000007149D000-0x00000000714A8000-memory.dmpFilesize
44KB
-
memory/2076-0-0x000000002FA51000-0x000000002FA52000-memory.dmpFilesize
4KB
-
memory/2076-2-0x000000007149D000-0x00000000714A8000-memory.dmpFilesize
44KB
-
memory/2076-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB