Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
79d1c8d13e8bb5c694d07e6471f9db57_JaffaCakes118.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
79d1c8d13e8bb5c694d07e6471f9db57_JaffaCakes118.msi
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
79d1c8d13e8bb5c694d07e6471f9db57_JaffaCakes118.msi
-
Size
512KB
-
MD5
79d1c8d13e8bb5c694d07e6471f9db57
-
SHA1
231677689b7e2f0b1aa0cfdd190d47462a5279b9
-
SHA256
deb9ffc5dbe5a8b0beb10318f8cfa635ed58507056908e017e82dfda950bf3f9
-
SHA512
808240029755b182c9491668ff177e606f7d7a513f2cc535397816c847808e738aa0a8e4be57f2166293c8795756a81300c9c40d869ffb5eff2c2e8e9db0363b
-
SSDEEP
6144:MEja+qQBv6voU7lpBJjPK22eC+Ic6LRWwp9porgB1O2/BCxBE4+/u4x/HLUWy4+d:MEjmQB6lpJ2eC6wu2yE4yZx/HwrK4
Malware Config
Extracted
lokibot
http://31.220.2.200/~justicet/ag/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI9154.tmp Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI9154.tmp Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI9154.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI90E6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9154.tmp msiexec.exe File created C:\Windows\Installer\e57900b.msi msiexec.exe File opened for modification C:\Windows\Installer\e57900b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2904 MSI9154.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2632 msiexec.exe 2632 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 4136 msiexec.exe Token: SeIncreaseQuotaPrivilege 4136 msiexec.exe Token: SeSecurityPrivilege 2632 msiexec.exe Token: SeCreateTokenPrivilege 4136 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4136 msiexec.exe Token: SeLockMemoryPrivilege 4136 msiexec.exe Token: SeIncreaseQuotaPrivilege 4136 msiexec.exe Token: SeMachineAccountPrivilege 4136 msiexec.exe Token: SeTcbPrivilege 4136 msiexec.exe Token: SeSecurityPrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeLoadDriverPrivilege 4136 msiexec.exe Token: SeSystemProfilePrivilege 4136 msiexec.exe Token: SeSystemtimePrivilege 4136 msiexec.exe Token: SeProfSingleProcessPrivilege 4136 msiexec.exe Token: SeIncBasePriorityPrivilege 4136 msiexec.exe Token: SeCreatePagefilePrivilege 4136 msiexec.exe Token: SeCreatePermanentPrivilege 4136 msiexec.exe Token: SeBackupPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeShutdownPrivilege 4136 msiexec.exe Token: SeDebugPrivilege 4136 msiexec.exe Token: SeAuditPrivilege 4136 msiexec.exe Token: SeSystemEnvironmentPrivilege 4136 msiexec.exe Token: SeChangeNotifyPrivilege 4136 msiexec.exe Token: SeRemoteShutdownPrivilege 4136 msiexec.exe Token: SeUndockPrivilege 4136 msiexec.exe Token: SeSyncAgentPrivilege 4136 msiexec.exe Token: SeEnableDelegationPrivilege 4136 msiexec.exe Token: SeManageVolumePrivilege 4136 msiexec.exe Token: SeImpersonatePrivilege 4136 msiexec.exe Token: SeCreateGlobalPrivilege 4136 msiexec.exe Token: SeBackupPrivilege 3920 vssvc.exe Token: SeRestorePrivilege 3920 vssvc.exe Token: SeAuditPrivilege 3920 vssvc.exe Token: SeBackupPrivilege 2632 msiexec.exe Token: SeRestorePrivilege 2632 msiexec.exe Token: SeRestorePrivilege 2632 msiexec.exe Token: SeTakeOwnershipPrivilege 2632 msiexec.exe Token: SeRestorePrivilege 2632 msiexec.exe Token: SeTakeOwnershipPrivilege 2632 msiexec.exe Token: SeRestorePrivilege 2632 msiexec.exe Token: SeTakeOwnershipPrivilege 2632 msiexec.exe Token: SeBackupPrivilege 224 srtasks.exe Token: SeRestorePrivilege 224 srtasks.exe Token: SeSecurityPrivilege 224 srtasks.exe Token: SeTakeOwnershipPrivilege 224 srtasks.exe Token: SeBackupPrivilege 224 srtasks.exe Token: SeRestorePrivilege 224 srtasks.exe Token: SeSecurityPrivilege 224 srtasks.exe Token: SeTakeOwnershipPrivilege 224 srtasks.exe Token: SeDebugPrivilege 2904 MSI9154.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4136 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2904 MSI9154.tmp -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2632 wrote to memory of 224 2632 msiexec.exe 100 PID 2632 wrote to memory of 224 2632 msiexec.exe 100 PID 2632 wrote to memory of 2904 2632 msiexec.exe 102 PID 2632 wrote to memory of 2904 2632 msiexec.exe 102 PID 2632 wrote to memory of 2904 2632 msiexec.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI9154.tmp -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI9154.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\79d1c8d13e8bb5c694d07e6471f9db57_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4136
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Windows\Installer\MSI9154.tmp"C:\Windows\Installer\MSI9154.tmp"2⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2904
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
488KB
MD57d2156aa23eb3331e0725fbaac058002
SHA1bc3154764a7685baaa3e466856fdab1ae50d179f
SHA256dac334eeaeaecc4072797f8e65085cf8b8c519462d0dd3d4c4856a1631ee87e7
SHA512e1ab75a2ed81d02727517c0deaaf945ab25decd855f8b567ac05f83af27fc6014d2d43d1e0a4a97e186226c300a48e98ec58bc88d05e53a87214cecd819ac029
-
Filesize
23.7MB
MD5420271892069ede402ae3d797bc5148a
SHA122c1e8e7fae647dd3643df53abbab003a78a5c98
SHA256724caa5aae2e6c95527967064dcf71f8fad2466e2ab5d17751a75668840f6df5
SHA512e442ddf53f24b0f707a52057d6d55f41274abbf58167e57be3271f91f05969300729a3c43a84646803f29367ff4c7453b67200bb01eec6bcd3397fff13b11e1a
-
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{682e254a-24ec-4a72-993b-6dc35bee88cc}_OnDiskSnapshotProp
Filesize6KB
MD5e430bb23dc1d71dd5431f69668a65d25
SHA1268f93f3276508dda090ff7d46d91d9f0d3fc7ca
SHA256ccde32eff47b7f85d464ae693c66779bda1a770352d8a2fe7eb03b223a092741
SHA51213b024f712001b8d8d7ee0482564489a1ea23eaf44354c4d7335e61bfe8ae3e70e46b2721cc6e6f9ef2d9bd9ab98184d174007e9bb92fcda89971b1956137f18