Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2024 06:04

General

  • Target

    c653666d1e83163fa4173a09ef16a8bb_JaffaCakes118.rtf

  • Size

    729KB

  • MD5

    c653666d1e83163fa4173a09ef16a8bb

  • SHA1

    32598e3d7f6c73cad52ac1ecd6771d4587fdfbc5

  • SHA256

    ba1fc31924f28c500e87979824415fbe4d2e08fde4591652c24734bcbc816fab

  • SHA512

    a497ed6110593a5d91bfe99f96018ec4220ebaea697b19c84cc839646562952b54e265d042682659041465a11242f372691f20a28a1788349474f19d9ecb330d

  • SSDEEP

    12288:UWNLJocWe3v4uG7aE0NLhJgV9fm0OXSeAkdjB2JfIz1WBtYvxnCVjyxYdbD+CNdY:/ocWoGmluVAxSULvJotYp0jyaUCOTMR8

Malware Config

Extracted

Family

lokibot

C2

http://spacemc.com/admin/iyk/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c653666d1e83163fa4173a09ef16a8bb_JaffaCakes118.rtf"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\cmd.exe
        CmD
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K itnqknf5.CMD
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:264
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 1
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2836
          • C:\Windows\SysWOW64\cscript.exe
            cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
            5⤵
            • Drops desktop.ini file(s)
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:2424
          • C:\Windows\SysWOW64\taskkill.exe
            TASkKILL /F /IM winword.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2608
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2152
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1952
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2660
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1584
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2852
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1628
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2792
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2952
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2340
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2120
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2052
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3064
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1620
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3056
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1028
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:752
          • C:\Users\Admin\AppData\Local\Temp\saver.scr
            "C:\Users\Admin\AppData\Local\Temp\saver.scr"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:3052
          • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
            "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ShowConvertFrom.docx"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:2556
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              6⤵
                PID:1928
            • C:\Windows\SysWOW64\cscript.exe
              cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2204
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
        2⤵
        • Process spawned unexpected child process
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\cmd.exe
          CmD
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.zip

      Filesize

      310KB

      MD5

      2ea07abda8be0edc6484a58918810af2

      SHA1

      9d0dd90c725004178c3214d9fe91bd1d6ff6d0ad

      SHA256

      4be4bf3b9a31940ed3d00dea9ee75cccfe730fcdf47c3eab51447dfc0f4d7329

      SHA512

      4a25d7a62ed82ef9d29b3ac1dded743ff8dc5ff05466d424f76400402db30b0b8bcb9fa83cbce1eac463a567881a5f92fd3ed565344dd6a5acd0d99aef7c5fb9

    • C:\Users\Admin\AppData\Local\Temp\_.vbs

      Filesize

      255B

      MD5

      bf8b4048b61bd2f3c20690415fa52ee4

      SHA1

      10cf302e555807f6a1e46cf52e9e0746cf93951b

      SHA256

      4e9782ff685787063d3213cb56c918f2ba9a57f7bdf365027e1d11a9824718a6

      SHA512

      60d1f5ea1595cb9efd8d3bc906a7f9e74b9f561a10ed96f0b1c6f4d33d878be0d86ba622bdd5d8efd576032c30471d5929458c1aa7124b1764deb6f0dbf30990

    • C:\Users\Admin\AppData\Local\Temp\_.vbs

      Filesize

      179B

      MD5

      1d88166a10f71703ef63a827718737ae

      SHA1

      d4ae6060a3c8c8ee0bc0498294e9fbac11133212

      SHA256

      9608595afec837d3131a139be240297f78fb1a79c34879eb3e1d01d4ca2c0fb7

      SHA512

      48f6cc0e4128289ad688cfd67d35f2b47199bfcb807071e800f798df61ae293d0e5af41915a7efb9c5869be48dbbbe0e7ed5ac41a433239a36c10939c28c8236

    • C:\Users\Admin\AppData\Local\Temp\a.ScT

      Filesize

      864B

      MD5

      93522467ea6a1b96b85ddc1aec79da43

      SHA1

      b4dfef1b1cec653e8675fe954c9c5f43bcdd32ad

      SHA256

      fab6f1444b9550ef2ef06b651efae615c358f5da51f267c94b78dd115240e9a1

      SHA512

      d94669ac17d9b1a3f50ddca1eba9c5c20a805e58e22faf86b7bb8379f8f38ae6b48930d9885568d60197f1f8b5fded3125ed7e7b879990ed6643928cbf827905

    • C:\Users\Admin\AppData\Local\Temp\itnqknf5.cmd

      Filesize

      1KB

      MD5

      a3b2ec295ad5a65c83a52892a2abe0fe

      SHA1

      e69986fc8ad7e818b4f66b101d4063faccf8dafb

      SHA256

      5a8956e665402c41f00377a5f5f2900b1a3dbc8b04099d8293207d3c65caa238

      SHA512

      ee42eea67996b1f8aca454eb2bfd2a63caf5cd669b341f60187d714db8a2461069a5d4f1b9328d4fa7569a5f044430cee7294025c7d2c035e437c25b390f0807

    • C:\Users\Admin\AppData\Local\Temp\saver.scr

      Filesize

      588KB

      MD5

      8f75888532a950803ddff07f54592734

      SHA1

      d8825899274879f7ebb9c9a6d974239f68f5d070

      SHA256

      94b5998439f53e4f014cee8c8e7c51c9da75944d64f6b67f4fbae5fc0a2fd04f

      SHA512

      c0f849a92ef862f31b417404b54a10b2e413d074d23783687a49d57ce2dd934e5408e554c89f4d1d718d6ec86b677cd0ae559299fc9af1c3c94aec5a36516bb6

    • C:\Users\Admin\AppData\Local\Temp\ufFm.cMD

      Filesize

      210B

      MD5

      955dfb33cd8846c2214a71956b51f68b

      SHA1

      0e1eded70be14241237ce07620fa4db75618e3a8

      SHA256

      4a169cbdb43ce32975dcbc5b97dab03466479a1a6aefe9be8c3677a34740c118

      SHA512

      467b6ed79145460f1ec8d6852b07b19d35686e2f7920b80e07d90dc04ee859264c918b0902191ceb12094c153e61459b0ae144f84ce6072463b3cc15ffa4fb4e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      bf7777c407f8c0c9ce76605ff84fe235

      SHA1

      2df20fbf13389bf999e88dac7bd22a64b8faa45a

      SHA256

      7ff09620dd1786054e372e394e1507a5bea2dacac3924a2254a97b48b60b5e89

      SHA512

      3a2a20229ebc8dc4afcbcc04ad477361830e3c5e21af485aae747a2252b443b175e68dce3271c5cb62dd1a136a5b3bd6ccd84a44d76a3b2a34b2be49b0925682

    • C:\Users\Admin\Desktop\ShowConvertFrom.docx

      Filesize

      31KB

      MD5

      df778726a0f7ffeaa9fc16826f77a946

      SHA1

      3b4bac8f09cf2d9227c3143aa33ee7b6c1a2cc0c

      SHA256

      a52fad09e1fb5e5c5532b8a9130c4f99ddbebbfb15ba416e67069866e1b5b3da

      SHA512

      5d5525b61cce9fc6f806c8d666d291e74915aeac20d7fd937c6d0fab9cefc4287ccdc539dd34b017c9abc6f38c87e9244b0c85a54b3fbe83da885334b1f63215

    • memory/1488-2-0x0000000070F5D000-0x0000000070F68000-memory.dmp

      Filesize

      44KB

    • memory/1488-49-0x0000000070F5D000-0x0000000070F68000-memory.dmp

      Filesize

      44KB

    • memory/1488-0-0x000000002FAB1000-0x000000002FAB2000-memory.dmp

      Filesize

      4KB

    • memory/1488-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2556-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2556-148-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3052-69-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

    • memory/3052-113-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

    • memory/3052-88-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB