Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 19:46

General

  • Target

    JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe

  • Size

    245KB

  • MD5

    d0d80da52bd01843d38139b1ddf1ca3a

  • SHA1

    da78153f04dae889906a621dcb1625035c4a292e

  • SHA256

    64b919d36bd2047074cf6887e88e890871e9421305583a20da902265e31d15e4

  • SHA512

    d0ab8c7ca8ebe802dbb80da9239c8eef49fa5206807d53981a51b3014a4c0b6932b3903ea80a5b96477341dee47002b8ab01d1f78a511d2d72dd402271941b16

  • SSDEEP

    6144:wBlL/chDJGYkb1tHuldAvw0tmo5o9+75JJSu8IiXuZ0O1:CehFK1xmdetT5oE75jDzZv

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=955547

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2116

Network

    No results found
  • 63.250.40.204:80
    JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
    152 B
    3
  • 63.250.40.204:80
    JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
    152 B
    3
  • 63.250.40.204:80
    JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
    152 B
    3
  • 63.250.40.204:80
    JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
    152 B
    3
  • 63.250.40.204:80
    JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
    152 B
    3
  • 63.250.40.204:80
    JaffaCakes118_d0d80da52bd01843d38139b1ddf1ca3a.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • \Users\Admin\AppData\Local\Temp\nstAFD0.tmp\udpjzymus.dll

    Filesize

    38KB

    MD5

    35c7e2a63c059a4dbdb41078633ab8a2

    SHA1

    c718c7587166f41d2bd3ba94ee23bbb85ca16f96

    SHA256

    5d14d6480c4d20dd420d598d6e7f503b7e714ce9d21d56cc73a2f2dbcb1100af

    SHA512

    dc6c4b050269f8cda0e729a577121ea5468dc48e879d46bbf75b8830c6fc4be8e31d8ae296e888c93cb14a981f05c7e5253838c56a0d38120f7d76b9e8788ec2

  • memory/1568-7-0x0000000010009000-0x000000001000B000-memory.dmp

    Filesize

    8KB

  • memory/2116-9-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2116-11-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2116-12-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2116-16-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2116-34-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2116-56-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.