Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

80deb4864d...18.exe

windows7-x64

10

80deb4864d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/08/2024, 14:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe

  • Size

    289KB

  • MD5

    80deb4864d3e01ae76b938925eabe622

  • SHA1

    611d4557ac5d499afb7445ecf396f6560474e8ea

  • SHA256

    f50897115f10331d6e9d08e5366e7f60d743a49edc550d1b087735733e36c9f7

  • SHA512

    9ca71aa0713c85a2394d1f5cb91e9753e5488057f5e9d1b701f60fbb40653354b7c39eee9ac018e3c0be4b794e901a9542bdfddd510dac69f976d4b10caee3a0

  • SSDEEP

    6144:YPWe8L7O132mpFNoq2Jc22ROhxxpeTr/ekI:De8fO133kqeLDzxp6L

Score
10/10
lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://checkvim.com/ga15/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:4516

Network

  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    45.19.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.19.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkvim.com
    80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    checkvim.com
    IN A
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkvim.com
    80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    checkvim.com
    IN A
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkvim.com
    80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    checkvim.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    45.19.74.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    45.19.74.20.in-addr.arpa

  • 8.8.8.8:53
    checkvim.com
    dns
    80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe
    58 B
     131 B
     1
    1

    DNS Request

    checkvim.com

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    checkvim.com
    dns
    80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe
    58 B
     131 B
     1
    1

    DNS Request

    checkvim.com

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    checkvim.com
    dns
    80deb4864d3e01ae76b938925eabe622_JaffaCakes118.exe
    58 B
     131 B
     1
    1

    DNS Request

    checkvim.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3089151618-2647890268-2710988337-1000\0f5007522459c86e95ffcc62f32308f1_144fa508-43d0-438d-9b61-75b963a9b225
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • memory/4516-1-0x0000000000700000-0x0000000000800000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4516-2-0x00000000001D0000-0x00000000001EB000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4516-3-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4516-45-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4516-47-0x0000000000700000-0x0000000000800000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4516-48-0x00000000001D0000-0x00000000001EB000-memory.dmp

    Filesize

    108KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.