Analysis Overview
SHA256
ef2c3d27f5bec472c1b606854d6c4f8ced93f4e0ae9de83710639d8276fe8447
Threat Level: Known bad
The file df76c9126293c60ec869c4fa231766af_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Lokibot
Looks for VirtualBox Guest Additions in registry
Credentials from Password Stores: Credentials from Web Browsers
Looks for VMWare Tools registry key
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Maps connected drives based on registry
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-14 04:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-14 04:10
Reported
2024-09-14 04:13
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Lokibot
Credentials from Password Stores: Credentials from Web Browsers
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1868 set thread context of 1244 | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SbiKHfstfBh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99EF.tmp"
C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 142.11.210.173:80 | 142.11.210.173 | tcp |
| US | 142.11.210.173:80 | 142.11.210.173 | tcp |
| US | 142.11.210.173:80 | 142.11.210.173 | tcp |
Files
memory/1868-0-0x000000007467E000-0x000000007467F000-memory.dmp
memory/1868-1-0x0000000000B40000-0x0000000000C28000-memory.dmp
memory/1868-2-0x0000000074670000-0x0000000074D5E000-memory.dmp
memory/1868-6-0x0000000000520000-0x000000000052A000-memory.dmp
memory/1868-7-0x000000007467E000-0x000000007467F000-memory.dmp
memory/1868-8-0x0000000074670000-0x0000000074D5E000-memory.dmp
memory/1868-9-0x0000000005740000-0x0000000005788000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp99EF.tmp
| MD5 | f9d58f7508257b2f45c1d779909fb67f |
| SHA1 | 49c93c557ef17e912d95d4dbfcae5a8f9ec80573 |
| SHA256 | ddfc4264d24ca398a02ee9f5b9edfcb5ebf41585d96c9ba4e6a181862f15bcea |
| SHA512 | ba91f2bdcf6841714b2dbb300af0736cf9ed6e8d24b0056c29eb4de6241e6b5e9edbad95df81c65fc5340b0db74d7fc317e34618e199a8d334f90b681de1528b |
memory/1244-15-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1244-19-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1244-18-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1244-20-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1244-23-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1244-25-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1244-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1244-17-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1868-26-0x0000000074670000-0x0000000074D5E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/1244-45-0x0000000000400000-0x00000000004A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-14 04:10
Reported
2024-09-14 04:13
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Lokibot
Credentials from Password Stores: Credentials from Web Browsers
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 412 set thread context of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SbiKHfstfBh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp"
C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df76c9126293c60ec869c4fa231766af_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 142.11.210.173:80 | 142.11.210.173 | tcp |
| US | 142.11.210.173:80 | 142.11.210.173 | tcp |
| US | 8.8.8.8:53 | 173.210.11.142.in-addr.arpa | udp |
| US | 142.11.210.173:80 | 142.11.210.173 | tcp |
Files
memory/412-0-0x000000007450E000-0x000000007450F000-memory.dmp
memory/412-1-0x0000000000900000-0x00000000009E8000-memory.dmp
memory/412-2-0x0000000005210000-0x00000000052AC000-memory.dmp
memory/412-3-0x0000000005970000-0x0000000005F14000-memory.dmp
memory/412-4-0x00000000053C0000-0x0000000005452000-memory.dmp
memory/412-5-0x0000000005490000-0x000000000549A000-memory.dmp
memory/412-6-0x0000000074500000-0x0000000074CB0000-memory.dmp
memory/412-7-0x0000000005500000-0x0000000005556000-memory.dmp
memory/412-8-0x0000000005F20000-0x0000000006274000-memory.dmp
memory/412-12-0x0000000006630000-0x000000000663A000-memory.dmp
memory/412-13-0x000000007450E000-0x000000007450F000-memory.dmp
memory/412-14-0x0000000074500000-0x0000000074CB0000-memory.dmp
memory/412-15-0x0000000008800000-0x0000000008848000-memory.dmp
memory/412-16-0x0000000008900000-0x0000000008966000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp
| MD5 | f515fdace2c9c58b0d80de7547341bcd |
| SHA1 | c4a5dd6fba38cf9e5ea4cc0ebbfd6ee1a5082615 |
| SHA256 | f717e12a10c1d5891f148de7ae2767694bf67955924ad68b2e7c5eb907f12438 |
| SHA512 | 71032f18318f581b1fafce9d8dbd8c77a4f667c87f5acf3c0a2f899541310441c71dbaff22ca7643234aac88330ca5ed93033f2ee2fb3539a479487fb219d366 |
memory/1900-22-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1900-24-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1900-26-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/412-27-0x0000000074500000-0x0000000074CB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-656926755-4116854191-210765258-1000\0f5007522459c86e95ffcc62f32308f1_6f95b8b4-c02b-43c9-8cd4-016780936b63
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-656926755-4116854191-210765258-1000\0f5007522459c86e95ffcc62f32308f1_6f95b8b4-c02b-43c9-8cd4-016780936b63
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/1900-46-0x0000000000400000-0x00000000004A2000-memory.dmp