Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 16:14

General

  • Target

    cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi

  • Size

    428KB

  • MD5

    cd23b9710a6f3bddf569663eca410316

  • SHA1

    26afee2a515aa7c0d2ab691fadd85bfc948dcfbe

  • SHA256

    193e8868bf9fbb4fc5edb8a0e2400796ee644114d8a401c8550ce0aa958665ac

  • SHA512

    789589860b13b580604be4d7127bc340cc0d29bcf8e6cb6a9259bbf4623033f96addc41b1df41850ee273c9e642730cff5dbc54d75171bdf9caa727cd4ab13cd

  • SSDEEP

    12288:sEfBZl1vvNQSnTlBZl1vvNQSnTnHrpq0sU5:sEJ1vvNQQTz1vvNQQTNq0x

Malware Config

Extracted

Family

lokibot

C2

http://pms-ne.kr/ikloki/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\Installer\MSIEC44.tmp
      "C:\Windows\Installer\MSIEC44.tmp"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Windows\Installer\MSIEC44.tmp
        "C:\Windows\Installer\MSIEC44.tmp"
        3⤵
        • Executes dropped EXE
        PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1312
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "0000000000000584"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76eaff.rbs

    Filesize

    663B

    MD5

    26321291d0961bfb74e0e41adeaec74f

    SHA1

    f3aa683b9b6b9b00456fb6014beb3dcda6e4860b

    SHA256

    753c38e36ef65c59123cdcc94208394f5bc2cd0518fed777c8b7297b0f2a3160

    SHA512

    7cf2297b239fc937d57d0756e95da75f77bca7a48a5553aa227370154a4905b210fe1291a94d7f81ef931eda676251b12a51eff22764ac3db19c597a4e97546c

  • C:\Windows\Installer\MSIEC44.tmp

    Filesize

    401KB

    MD5

    42f0ce29970a9ab24c4d01d061091bca

    SHA1

    c871ab752d547956b4ea1f3944b3b32a793e7112

    SHA256

    a8b1fd6c71325bc5a80c2a175dfcb39fddc77b2125f8065c63636dfdff9bab7f

    SHA512

    6b9d538b41ff821f6b95d0722c76fd2d940053990e7d782ba8f39fc71e357ed655528361cc7e961b7bc141ac4be38e926102876ecfd4cd22600fa87a97f538ad

  • memory/332-12-0x0000000000B80000-0x0000000000BEA000-memory.dmp

    Filesize

    424KB

  • memory/332-13-0x0000000000560000-0x0000000000582000-memory.dmp

    Filesize

    136KB

  • memory/1624-17-0x0000000000080000-0x0000000000122000-memory.dmp

    Filesize

    648KB