Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
71bc06523eff20bda9197d0020b751cf_JaffaCakes118.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
71bc06523eff20bda9197d0020b751cf_JaffaCakes118.msi
Resource
win10v2004-20241007-en
General
-
Target
71bc06523eff20bda9197d0020b751cf_JaffaCakes118.msi
-
Size
656KB
-
MD5
71bc06523eff20bda9197d0020b751cf
-
SHA1
3215635a506e4c538daa7adcd1606d348d25e0b5
-
SHA256
165f271fb293701f0b6ab71033eeb9568c18aefcdd847060a3d57475eae2aeed
-
SHA512
a29e3852395e9fdfc74686b648394ae811eb4b3e14c2592273a765539d844f419a7c505868beb57a858f39f9ae296b16e97ba87562d0662e955fbc73566d6ee0
-
SSDEEP
6144:EE7TMenVqe/eD8zNa0ILko3H5M1T5DsApiRCDE6YG320A5E7cYDvhRNQ0OBjtguZ:EEXnVqKeDI/ID3HxBuGurTNr2
Malware Config
Extracted
lokibot
http://spimagesinc.com/images/ImgDump_04-25-16/picture/gallery/newfoldwer/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI9E35.tmp Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI9E35.tmp Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI9E35.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4568 set thread context of 1540 4568 MSI9E35.tmp 105 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI9DD6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9E35.tmp msiexec.exe File created C:\Windows\Installer\e579d0b.msi msiexec.exe File opened for modification C:\Windows\Installer\e579d0b.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4568 MSI9E35.tmp 1540 MSI9E35.tmp -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2948 msiexec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI9E35.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5036 msiexec.exe 5036 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeShutdownPrivilege 2948 msiexec.exe Token: SeIncreaseQuotaPrivilege 2948 msiexec.exe Token: SeSecurityPrivilege 5036 msiexec.exe Token: SeCreateTokenPrivilege 2948 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2948 msiexec.exe Token: SeLockMemoryPrivilege 2948 msiexec.exe Token: SeIncreaseQuotaPrivilege 2948 msiexec.exe Token: SeMachineAccountPrivilege 2948 msiexec.exe Token: SeTcbPrivilege 2948 msiexec.exe Token: SeSecurityPrivilege 2948 msiexec.exe Token: SeTakeOwnershipPrivilege 2948 msiexec.exe Token: SeLoadDriverPrivilege 2948 msiexec.exe Token: SeSystemProfilePrivilege 2948 msiexec.exe Token: SeSystemtimePrivilege 2948 msiexec.exe Token: SeProfSingleProcessPrivilege 2948 msiexec.exe Token: SeIncBasePriorityPrivilege 2948 msiexec.exe Token: SeCreatePagefilePrivilege 2948 msiexec.exe Token: SeCreatePermanentPrivilege 2948 msiexec.exe Token: SeBackupPrivilege 2948 msiexec.exe Token: SeRestorePrivilege 2948 msiexec.exe Token: SeShutdownPrivilege 2948 msiexec.exe Token: SeDebugPrivilege 2948 msiexec.exe Token: SeAuditPrivilege 2948 msiexec.exe Token: SeSystemEnvironmentPrivilege 2948 msiexec.exe Token: SeChangeNotifyPrivilege 2948 msiexec.exe Token: SeRemoteShutdownPrivilege 2948 msiexec.exe Token: SeUndockPrivilege 2948 msiexec.exe Token: SeSyncAgentPrivilege 2948 msiexec.exe Token: SeEnableDelegationPrivilege 2948 msiexec.exe Token: SeManageVolumePrivilege 2948 msiexec.exe Token: SeImpersonatePrivilege 2948 msiexec.exe Token: SeCreateGlobalPrivilege 2948 msiexec.exe Token: SeBackupPrivilege 2628 vssvc.exe Token: SeRestorePrivilege 2628 vssvc.exe Token: SeAuditPrivilege 2628 vssvc.exe Token: SeBackupPrivilege 5036 msiexec.exe Token: SeRestorePrivilege 5036 msiexec.exe Token: SeRestorePrivilege 5036 msiexec.exe Token: SeTakeOwnershipPrivilege 5036 msiexec.exe Token: SeRestorePrivilege 5036 msiexec.exe Token: SeTakeOwnershipPrivilege 5036 msiexec.exe Token: SeRestorePrivilege 5036 msiexec.exe Token: SeTakeOwnershipPrivilege 5036 msiexec.exe Token: SeDebugPrivilege 4568 MSI9E35.tmp Token: SeRestorePrivilege 5036 msiexec.exe Token: SeTakeOwnershipPrivilege 5036 msiexec.exe Token: SeRestorePrivilege 5036 msiexec.exe Token: SeTakeOwnershipPrivilege 5036 msiexec.exe Token: SeBackupPrivilege 4188 srtasks.exe Token: SeRestorePrivilege 4188 srtasks.exe Token: SeSecurityPrivilege 4188 srtasks.exe Token: SeTakeOwnershipPrivilege 4188 srtasks.exe Token: SeBackupPrivilege 4188 srtasks.exe Token: SeRestorePrivilege 4188 srtasks.exe Token: SeSecurityPrivilege 4188 srtasks.exe Token: SeTakeOwnershipPrivilege 4188 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2948 msiexec.exe 2948 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5036 wrote to memory of 4188 5036 msiexec.exe 102 PID 5036 wrote to memory of 4188 5036 msiexec.exe 102 PID 5036 wrote to memory of 4568 5036 msiexec.exe 104 PID 5036 wrote to memory of 4568 5036 msiexec.exe 104 PID 5036 wrote to memory of 4568 5036 msiexec.exe 104 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 PID 4568 wrote to memory of 1540 4568 MSI9E35.tmp 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI9E35.tmp -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI9E35.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\71bc06523eff20bda9197d0020b751cf_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2948
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\Installer\MSI9E35.tmp"C:\Windows\Installer\MSI9E35.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Installer\MSI9E35.tmp"C:\Windows\Installer\MSI9E35.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- outlook_office_path
- outlook_win_path
PID:1540
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2628
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD508c4b04f9ab2d4c2e679da226e113f5a
SHA1d4bd26696b62514d1c9c43725bc8f16af33ad4ea
SHA2567fe3fdcdd3421cfcb5d4320425867ccb6cf53591b5ae6d88474b2b1c1bc48d18
SHA512f695e75e65efbf2d69010fe3b6d24999c4f8aeda1fe1b8b5045590c666b115c213c99d8d50a56dc99c6901225de3d0a01182563915e44c534f9a832a240499c1
-
Filesize
632KB
MD524d6ee30e47dc5886977b78f26fae187
SHA170b855b7756bc66d94b0ba6f78f4c15542df4c81
SHA25671a00fcf74a3d6b9390e289f50b80ad5bd41b9ed64e1a924c8ea7a851ecccf36
SHA512d2701478d951266a1e32432926a02c3b72e3d852b2f5ad07410ab62e3c9a9c6074fdc131ff6853a54f368e9e857a2dbfe9ce80ddedbf7ecceac23a88d9b36893
-
Filesize
24.1MB
MD52dbb1b0b5d96b31b4a9c6390161bb036
SHA17f15325db5a1f8c52b0dd996a255b55d8fbb5488
SHA256837444ac51003a6242ad21a61a9b32b0589a84b3779dd21de0c48ff35222faa2
SHA5121f6a19ea8fc7346de325dcd84e69043baff8b2124e82ec6f1c950df5e4777ebb68854f33cdd2825233191222ac1ff9e76a0775057330865979131477a86b5374
-
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{67acee5c-9d0b-4196-8e47-91eeb3c70f3e}_OnDiskSnapshotProp
Filesize6KB
MD580b0bdf1211767a473abcbb0e8bc3f52
SHA14878814f24aaffc86b4b5c824f013b04bf085e0e
SHA2567615e6b752bcbdcc3796d995fc7d6024942060a25377d36f91232e563ff03e86
SHA5122a5d10cdbfa0cc870897a93466780e1f401cf3b0d95c3cf1cf8ec072692d5a2a32d10618c779e184b6bdd7466c962c7e969bff0ac1b28a86d680a78d68ab85d2