Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

d6d930833f...18.ps1

windows7-x64

10

d6d930833f...18.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6d930833f8f2ede9362a09329e7f4ac_JaffaCakes118.ps1

  • Size

    465KB

  • MD5

    d6d930833f8f2ede9362a09329e7f4ac

  • SHA1

    38984a2cd22557db3ee44b29a9d7100fffa5ce39

  • SHA256

    7159c94e767e0c5e2bdbcd02f04bffd4226f174dc46755995cd7679c289f6cae

  • SHA512

    632d51bb1112e7518a186321535908a7da6cd42540dbf2fd10c73f32b6e2a75a26dd68b6829d27608758ee63d3b788bc4ae8128842ae59cb1b6ab47eb8a93e7a

  • SSDEEP

    12288:zZUvcU//JjlmM6WSFXJlirXraVnOkul3MvXq1BR:z5aJ8M6TLSXu0kuZMvXQR

Score
10/10
lokibotcollectioncredential_accessdiscoveryexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://webxpo.ga/luky/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\d6d930833f8f2ede9362a09329e7f4ac_JaffaCakes118.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Public\liys.exe
      "C:\Users\Public\liys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:24996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Public\liys.exe
    Filesize

    331KB

    MD5

    76fea88e7cc12f4804be22b43d3f5a37

    SHA1

    2ad73e1ca4841ff3662e096823fd27b207f8c426

    SHA256

    55091223ddb1dc68ac04838e9af589698b467936cd85f138beb4ebfee0f4d5b9

    SHA512

    e2c90897bca3378adc1963437dfaa436c3d27e0dddba95106d931d1f85c02f5a92511027083d3db2bda8de868f52215366c5c0c80939b7f3d6ca08e9366d2477

    Download Submit

  • C:\Windows\win.ini
    Filesize

    517B

    MD5

    893cae59ab5945a94a7da007d47a1255

    SHA1

    d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

    SHA256

    edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

    SHA512

    d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso957E.tmp\vivo.dll
    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\zosters.dll
    Filesize

    15KB

    MD5

    97118f2a22b8c2491e1e6742eb1814dc

    SHA1

    b0565442c5e5439345d8f091de17fb09d3b8e730

    SHA256

    4137be35eb69654f4bc1204c92a4b0a3f4948bbbd2db5dd0fbbdadb6972f4214

    SHA512

    812f6989d393ee8e873bda8236540a9e460a9af27576b3485cbefc2100f8a0eee4be40b9976c13a84a763d4e2f42e091e673041acb4070dae6688781fe52cda1

    Download Submit

  • memory/2316-5-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2316-10-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2316-11-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2316-8-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2316-27-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2316-4-0x000007FEF560E000-0x000007FEF560F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2316-7-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2316-9-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2316-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2596-42-0x0000000002600000-0x0000000002601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-10050-0x0000000002740000-0x0000000002761000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2596-43-0x0000000002610000-0x0000000002623000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2596-40-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/24996-10053-0x0000000000090000-0x0000000000096000-memory.dmp

    Filesize

    24KB

    Download

  • memory/24996-10052-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/24996-10051-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/24996-10091-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download