Analysis
-
max time kernel
143s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
30-08-2024 21:22
General
-
Target
cbb16e4e4e08c92f71f92912ee89d99f_JaffaCakes118.msi
-
Size
496KB
-
MD5
cbb16e4e4e08c92f71f92912ee89d99f
-
SHA1
837c8f172b6a8e1af9d906bfe9e2910c37af4159
-
SHA256
ccbcbbf0c8ab0e133382d476d1836596502dea3a459923e3b7b8462fa0ff4782
-
SHA512
591ee2940ab8c6a53fc824db1fbf6300677430d9b39eb6437d67e8640fa7454c428b20098323e7663de8baaec11a12392b7b6224e6f6cac9c442ccb439561269
-
SSDEEP
3072:ZEwLwjDHoRQoE/dVEZYIt+R9pna+10ez2kWYj67n0sN0o2ibcH0qwrUm1tEfaK:ZEwLUoOoEsZYIU3nIeYYjftwn1ty
Malware Config
Extracted
lokibot
http://185.148.146.193/~agroinovate/foreducational/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 3 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 10 IoCs
-
Executes dropped EXE 3 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 43 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cbb16e4e4e08c92f71f92912ee89d99f_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIF0F6.tmp"C:\Windows\Installer\MSIF0F6.tmp"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v2hicsi3\v2hicsi3.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF44E.tmp" "c:\Users\Admin\AppData\Local\Temp\v2hicsi3\CSC3B730601FE542F1839FE2C920A59581.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /sc MINUTE /tn Notty /MO 1 /tr "C:\Users\Admin\AppData\Roaming\skipe\msbuild.exe\3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "00000000000005E4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {BC88C5B2-230F-47FF-81CB-6CEE89E57649} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\skipe\msbuild.exeC:\Users\Admin\AppData\Roaming\skipe\msbuild.exe "C:\Users\Admin\AppData\Roaming\skipe\msbuild.exe\"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pj1asqxy\pj1asqxy.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63F1.tmp" "c:\Users\Admin\AppData\Local\Temp\pj1asqxy\CSC597DD098A4DE49C28C6746F6A53EDB.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\skipe\msbuild.exeC:\Users\Admin\AppData\Roaming\skipe\msbuild.exe "C:\Users\Admin\AppData\Roaming\skipe\msbuild.exe\"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yfvdnlef\yfvdnlef.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D75.tmp" "c:\Users\Admin\AppData\Local\Temp\yfvdnlef\CSC8E67101ED9CA40D4A15BCA3D7EDE2096.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD588b4292859acb7deb66aa48b8c78f745
SHA126a5250d661300b8fe598c513e9f4fcaa7ec05d2
SHA256ce74b3268254867f0a12f7793ded9ce7a9c335841c2fc17d1a65c81fde5f4df9
SHA512710595f93a3ec60b6a9676e3a8cd6baaaff86c3181a205af7cb86f97ea420c5cdf78b99b71697cd7d7b68fa61c2e949b589e00c03ccd5dce6452613e0520864c
-
Filesize
1KB
MD52a87aba17937ba73a9919683df2a54f0
SHA1326673659cab42329ca9a27cb41f34abf5934bf8
SHA25693358e4e8a97933c03a842b0c9faa699b9fe723cac26b90978143d8d96269e53
SHA5128ec122fa6d7059d97ad12949b30acc5ed9890e9d4c5771f39dcc85170adc54a24418fb45fc4e26f5adc87bdb9460dafefb152fb3cf5cf84d98b6e8b91e74285a
-
Filesize
1KB
MD54d857531fbad0543fc91e0353142ad13
SHA1f3d346d20dcb5a8a022ffde7c34088de26c29288
SHA256132398140cdcc392395295fc916418f44febde5e2c982dd48916cc32a5fde4f3
SHA5122573d329d4c5c410ce9ed3271d7f3fadd10ae4e5a1a5aa4697a9528995f58fb3d19c322b3eb2d44cfd957485a6ea99b2fb7c168570e125b4a83aa7136c603866
-
Filesize
1KB
MD535c4da21c4fe802c8d5791ca46fb715b
SHA10adfd54c1a8fd03b757468f4aca2b26f7f7e2cf4
SHA256b7ee00b31bdf001feb63750b8d693d308688453fb19a9c419bc81b65ee40492a
SHA512b001908389bf918b45fd821e7fbe78eec9036abc32c5461dfed31af358a19f984d6b14cbc7c642c3065ba6a049bfdb496991fcac9f1c2d048bc92a04b3344f85
-
Filesize
6KB
MD53a181443549f53560997a16d8971fcfb
SHA1d36ad7a98badcd216b35bdbf7ad65e220bdf49da
SHA25673862e755d079d6c4e6bd133d00c096a912ce5620f29587613f9e3e604070d71
SHA512bf7aa07902593558935b25dbb281648115b46791477745e133a2ecbbcfb6cd457b926cad35e002bc8694ff090d26501ce07ac9b0f254144908f6f50d9c3be3f1
-
Filesize
15KB
MD54fe5a43e9cae389eed149f0e44f283b3
SHA1f364e2c40e387b5fb133c66f0af85e8675d78e23
SHA25677040dcb5ee13b40a8fdcf179d70e36999a3af7602a6acbbb4bcfd9d76997713
SHA512a226d592cd6f51575fcfc4a34017cade2fff6ae2e5b135b70290e9094fcd96dbb4357dea0d8ec8b692dcf976757f7a36faaf8edb5b48a3a962b8dcea60265d85
-
Filesize
6KB
MD5323bd7b70c3d07b94cc363722cfe3834
SHA1ed00825b37d7e9fd9f401ebf9fb59c4130eb8c28
SHA2563667f1e20274e7ecff207e2fa811466b11554effc0312f1c2898e676dfdd57ea
SHA5128fde2f666ed074f53644fba8aeb08cf9da7760034260bf94c29b209d8e1fbb725dc9960536976c272b7e15704451089b7be6c6d9ca9e6c36b6d83f105acd5117
-
Filesize
15KB
MD51fbcbcc5c61dcf36bcd29e2759f72c99
SHA103372512985901c7aa0db642c362eec147c6246d
SHA2569439fb5af76788f5ebf1ad93530dbf48f70fd814203e48f0aeba371602e50d6d
SHA5126aa48c1143fd018f3dd16f1488f278e8a3ea02404d860c18b803e72949ead5966c69de73f07dbfe6c9c3e4eda62e8e9357849de464812745cbef313accf98e00
-
Filesize
6KB
MD5f85710755a4906dd9b79e77ff921a429
SHA10114f9c2ca274d8593587d41ee08f1780850e1ec
SHA25650466b67acb4263acbcbd268cfece75d4964e78a242e521384e7822560c30e0d
SHA5121079d169a4bef35c5068021dca5c55f9846f678f1d2b16c7b7493d1db5e2755af8ff2b86e2535e1732ce294d42751ad35dd6fa38b156caf14f523885bea0d5dc
-
Filesize
15KB
MD5bc115fb05e47d9b7df311b43adb90f39
SHA137cd4aadc10d8b4db31b45b117e93f015be56456
SHA2561515af00b6131d1949160bd9c4b238beee53127d1fa35cdfa84d0a8abb89b70f
SHA512aeddd2ad07929b7de4ede47dfc143b5b46d3918639dce1a4742531e5e93e9b56e5dc8870185c155325313c25302b3efb10284574727ffa07fb5ac1e60eb3b482
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
82B
MD5cb6a4efa344cbb3599e0debe5f231bc8
SHA1e399b165a943c82fd2999d4d39ca7c967009b4ca
SHA256df5973403e499e4c8d39af1a4232de2a9737d9394b5be5f3ae82fc2881b71bd0
SHA512075a28d76d656f8e287da1d6c5317f3e1f5717cd6e1fef9fc094042ebf9727516106149e2fee43a546bc2972c924d07f611a86f34cc222657b71ff0ff2db436f
-
Filesize
470KB
MD5567ff04d8da26338664b393e83a07287
SHA1dc848a25dc90b7d90a51cd8fbe3d9abddd5f5b1b
SHA25610abc3ea92644e7f4b9445f400bad387b94f28820cd9eb5bfa1849330dcc6691
SHA51289225e97e735e9cba09d377c358aa59b8135181cfbb6ce704eb4448ad20732a57dce7624dd1849e3ef3995c630ff89816051f3c5bc4976f8257cc390aa48728a
-
Filesize
1KB
MD5680b6dc048d813be6c1130a9ed8af884
SHA1359e154113115999e6addc9e7cbeca67d0f1f0d8
SHA256ff760db7803b4800972db6aee67a2d7feb29bb8c2766b89bbc42aec7c9144a30
SHA5123971b6d78b2c21d315f612aa353564274cee1ec6767c722ee5b4349fb006a707fdbbae5596c4ed6d05775c6322a0ad94c595688df55531bfdeb118a3370b21ec
-
Filesize
312B
MD55432ae14d39d1bbb58bbebf594a8b091
SHA159f1fc437c15aaaba416ecca25fb0a55d8fae716
SHA25667e3b7d6dd086a073ee2b095cabff9568538cbc50d22d4b6997c69dd8ec2f912
SHA512fab0db23f09fba9bbd06e9306eb5e40efff044b3a1a323ba505a4cfd3d4cc00a572b23ea6317a00989fc818db91a88f72e90132e7ad5c25e7c98768c8eef70b8
-
Filesize
1KB
MD57a7b53a6ce94de848f2a5e29dd158168
SHA1e7fd6ffb1f997c5477b7c8fad3c31e2f0cd136a4
SHA2561ce92e4e77c45b35b1fcfba72829f6f710088e6512670c9ba3622fd895485a49
SHA51238f47163d0a6de603be17c2fe6d75189c0f380aaec58ff665e64a0e98c77ebc1d6fc19e45bcea01d5e66e3154430cd62b0164667a4bd9baa3d55d130cb4ece76
-
Filesize
3KB
MD54e1095c7e8dbb0c68bc9bf829eef13b6
SHA1f2b98be89910c93c5169e82d248c57500e59b698
SHA2569107abced02db522cfb88d1d15faa4117c665c855d3f5fbef054cce42f855ea1
SHA512f9d77f5da96b93bdc09ff508c64d3f1f7f3f5a719f5309a548a3d5e2661d05f0032de2fcc4506d978e12a440310fee3db26ec8c6f560925aea127565d32105e7
-
Filesize
312B
MD5a3d3f5b3819f2f70f91796d9fb68edd3
SHA1355cc6aa9cd4ff8bbcf2f465a8cd42533740e006
SHA256fb17c551b62defc587a6d0dad3182b49bf2ab0e335f805d2f64d439a53d0d39b
SHA5120c45a4dabb7489e1d7a187b7757bffc24916217389be4030aac7ed2c4dfb83851d0d5fe456dca18e907852523eb40a12a1ecf0bc5a26ad356339619de4a09d27
-
Filesize
1KB
MD5a1d1169da5a15dd667864fff1c6231b2
SHA1470ff9350da142da72b8a9d80d71411acbb2fc08
SHA256bf5c0e3bc4e482be78a82a12f55025a066210bf1f15dd03bd1cc26d36aa3d81b
SHA5125117fac3b81d7919f8a96f7e3b5782dbfd6d58c17397285a69df300dd6aac0ff86000b87838a073ea8caf9b247631146d5989d9b3bb61d68323a5bdd95a4780b
-
Filesize
312B
MD5950f755d4ecb9096fb81911bcd08dc6f
SHA187c2bd8ddf1997d8010c60ee1ebe623136942b68
SHA25659e1a2854ad11c5fb3b0a2b42663bb1dc2ef47ebe1cb5a859500fce1b73c2c8b
SHA5125c396007d35a11b0341407e3564a7b89c6d05c86d027b3e5a02748336eca0375b823046dfc85c3b235b31899fe996158e2e108be1092c54640926c2d8ce2a840
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
4KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
32KB
-
Filesize
328KB
-
Filesize
32KB
-
Filesize
328KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
328KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
48KB