Overview

overview

10

Static

static

1

cbb16e4e4e...18.msi

windows7-x64

10

cbb16e4e4e...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbb16e4e4e08c92f71f92912ee89d99f_JaffaCakes118.msi

  • Size

    496KB

  • MD5

    cbb16e4e4e08c92f71f92912ee89d99f

  • SHA1

    837c8f172b6a8e1af9d906bfe9e2910c37af4159

  • SHA256

    ccbcbbf0c8ab0e133382d476d1836596502dea3a459923e3b7b8462fa0ff4782

  • SHA512

    591ee2940ab8c6a53fc824db1fbf6300677430d9b39eb6437d67e8640fa7454c428b20098323e7663de8baaec11a12392b7b6224e6f6cac9c442ccb439561269

  • SSDEEP

    3072:ZEwLwjDHoRQoE/dVEZYIt+R9pna+10ez2kWYj67n0sN0o2ibcH0qwrUm1tEfaK:ZEwLUoOoEsZYIU3nIeYYjftwn1ty

Score
10/10
lokibotcollectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://185.148.146.193/~agroinovate/foreducational/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cbb16e4e4e08c92f71f92912ee89d99f_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1396
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\Installer\MSI7887.tmp
      "C:\Windows\Installer\MSI7887.tmp"
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqm1e1sr\dqm1e1sr.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CBD.tmp" "c:\Users\Admin\AppData\Local\Temp\dqm1e1sr\CSC24CFC3D1752B44F48AA314C19014449.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4264
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /query
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1724
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /sc MINUTE /tn Notty /MO 1 /tr "C:\Users\Admin\AppData\Roaming\skipe\msbuild.exe\
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4972
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2368
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4560
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4072,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
    1⤵
      PID:1548

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Scripting

    1
    T1064

    Persistence

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Scripting

    1
    T1064

    System Binary Proxy Execution

    1
    T1218

    Msiexec

    1
    T1218.007

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e587703.rbs
      Filesize

      663B

      MD5

      b716678319852502b57425a97bf02ea0

      SHA1

      59dfa302a28d8dac6f2b778631418d619ad84ed8

      SHA256

      23d54ea09b0a2b12681ca9285eab02d65a02f6319a4a9810ec2961d33aa60bc0

      SHA512

      a6ecacee4afb26e56249c792d7b4a1b2d94841b17c3a21572f2deeaee860f8fc2e1deac6dbbdb233abe81f884c62bcb660fd531a520fdbdc508037df9c7ce51d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dqm1e1sr\dqm1e1sr.dll
      Filesize

      6KB

      MD5

      6d614db5546f15856b9fa83e8a95fa9e

      SHA1

      3f2aa3c8066111d41214ca13837db1d2cdaccf3a

      SHA256

      cc5787b2b4f2d26089862e1c6f78190130b442a57fe0dc3fb6f8a619cd99a6f6

      SHA512

      ee5311719d617cde29d676fcf74f2cc8e3d7ef20312e1155265f48fc8748a8095291746dd07badd0445f4d4f03225a416f6727c21e09ac79c2e3cd0fdd1c99aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dqm1e1sr\dqm1e1sr.pdb
      Filesize

      15KB

      MD5

      57f808c81cff556ea232b71cde990e62

      SHA1

      2e065970be038faff2d83ff900694a6ca95945b3

      SHA256

      18c2144e61eeead28539c8b9914f7c12e30e804e85d719bf6eb06d2137dd1f6b

      SHA512

      5264969d5783d5780ad1437e5628a76208d51725a05de6da15632ab117a1bfc0345f4a343a78d613e59dcd05aad36e4ced2f42ac25100d86f9bf4132460cadb9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Windows\Installer\MSI7887.tmp
      Filesize

      470KB

      MD5

      567ff04d8da26338664b393e83a07287

      SHA1

      dc848a25dc90b7d90a51cd8fbe3d9abddd5f5b1b

      SHA256

      10abc3ea92644e7f4b9445f400bad387b94f28820cd9eb5bfa1849330dcc6691

      SHA512

      89225e97e735e9cba09d377c358aa59b8135181cfbb6ce704eb4448ad20732a57dce7624dd1849e3ef3995c630ff89816051f3c5bc4976f8257cc390aa48728a

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      55ae6e5698be6faa2383c199678814d8

      SHA1

      8a770b2ec9f1db2ffdc3e9a380ea6477ff1b6d32

      SHA256

      a0266efa01e7c1f6703ba3b6b7ac55f5fe51717e484fe981c4129d4fa5d6e0f2

      SHA512

      ca89f7f56ebae4f7a5b9ba9c6d1d1e521d1444938b7674f885a56c7105d50d574170d3ef06ea5ce47688f16021a9e5b47361cd5fa9d85249004985c2ba88acb5

      Download Submit

    • \??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2702ddf4-8d4e-4157-bcda-e8a706c2f7b1}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      ae936d32e0417ae42573900de3455724

      SHA1

      10526411d7f7af3b0d466efa3c360c5dea64de2d

      SHA256

      1c0e0d4c088937004fab375a1977f6386c43467145cbd2960358e6897c72958d

      SHA512

      9ce30c74da201c480d088ee4160c5976eedaf7b72bede716038250fcd39c159f15c4e04f311490ccaa03e22172636c2a8f3b76e3aaf2c7cd4cac898afd29774c

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\dqm1e1sr\dqm1e1sr.0.cs
      Filesize

      3KB

      MD5

      4e1095c7e8dbb0c68bc9bf829eef13b6

      SHA1

      f2b98be89910c93c5169e82d248c57500e59b698

      SHA256

      9107abced02db522cfb88d1d15faa4117c665c855d3f5fbef054cce42f855ea1

      SHA512

      f9d77f5da96b93bdc09ff508c64d3f1f7f3f5a719f5309a548a3d5e2661d05f0032de2fcc4506d978e12a440310fee3db26ec8c6f560925aea127565d32105e7

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\dqm1e1sr\dqm1e1sr.cmdline
      Filesize

      312B

      MD5

      05f979f17c1f802a07a0b51f9cd14ecf

      SHA1

      4dde2273e8769269dd3dca80cd00a9c7c19219eb

      SHA256

      c8a3218d4d53cec220d1d0b446e348803f78b6b3f15a15f7d7bb50e2bcc3075f

      SHA512

      c783146a4fd6c3e21bcde2719b9c3813189965fbdb95742f55b644d047131d9a7bb25ae46fcbfa5206b6bb79da01f7a33f01f3ee4dd54526e526acb6c533b50d

      Download Submit

    • memory/2036-29-0x00000000059A0000-0x00000000059CA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2036-33-0x00000000059D0000-0x0000000005A72000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2036-34-0x0000000005C40000-0x0000000005CDC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2036-30-0x0000000005510000-0x000000000551C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2036-28-0x0000000005520000-0x00000000055B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2036-12-0x0000000000C40000-0x0000000000C92000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2036-26-0x00000000013E0000-0x00000000013E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-13-0x00000000013B0000-0x00000000013B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-35-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2368-53-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2368-37-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2368-74-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2368-98-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download