Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
-
Size
490KB
-
MD5
06854e61899fff2b198c91a5a25cff6d
-
SHA1
6b74e8be276b9f16b4732a3e4a2bd69a39e9bf9b
-
SHA256
e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691
-
SHA512
ec87153a038e858641d88d03a8b9142c7838cfcd02795c93299bd52c40a975cb34dfa7792d10615aea8fe6fa3763c395fe84812037d15426bc341c6149af070b
-
SSDEEP
6144:ih6o1R1khh63aQbSFvU9+kRIluFRfwVnvUjWkY1hdQUdwzMTIv9QZgmT:C1R1kDVvUwGOnnvAEQsqbV
Malware Config
Extracted
lokibot
https://lokipanelhostingpanel.gq/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Drops startup file 1 IoCs
Processes:
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
notepad.exepid process 4924 notepad.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
notepad.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook notepad.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook notepad.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook notepad.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exedescription pid process target process PID 2020 set thread context of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe -
Drops file in Windows directory 3 IoCs
Processes:
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3592 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exepid process 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exenotepad.exedescription pid process Token: SeDebugPrivilege 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe Token: SeDebugPrivilege 4924 notepad.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2020 wrote to memory of 2484 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2484 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2484 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe cmd.exe PID 2484 wrote to memory of 4956 2484 cmd.exe reg.exe PID 2484 wrote to memory of 4956 2484 cmd.exe reg.exe PID 2484 wrote to memory of 4956 2484 cmd.exe reg.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe PID 2020 wrote to memory of 2732 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2732 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2732 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 3592 2732 cmd.exe timeout.exe PID 2732 wrote to memory of 3592 2732 cmd.exe timeout.exe PID 2732 wrote to memory of 3592 2732 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
notepad.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook notepad.exe -
outlook_win_path 1 IoCs
Processes:
notepad.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
490KB
MD506854e61899fff2b198c91a5a25cff6d
SHA16b74e8be276b9f16b4732a3e4a2bd69a39e9bf9b
SHA256e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691
SHA512ec87153a038e858641d88d03a8b9142c7838cfcd02795c93299bd52c40a975cb34dfa7792d10615aea8fe6fa3763c395fe84812037d15426bc341c6149af070b
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.batFilesize
206B
MD590c06b5a8de4b32e4e13579cbd8c694d
SHA1d0ba856351d70f7423c76b21688ea51a9fb65d69
SHA25625aca836dfd3715de6f7617c6f50db118acc019361092e10f7730a7ddad64c98
SHA5125b29bc17d7f1e6ce58313830b7fe15ff03be37c7304fe260dad2c2865588f1dd3811d1fd877f5e8b850cf365386b330d0d21a32b31567303ddcf0f51372f5b06
-
C:\Users\Admin\AppData\Local\Temp\notepad.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3665033694-1447845302-680750983-1000\0f5007522459c86e95ffcc62f32308f1_0c2dbd8b-df2c-459b-9e3f-15002e1e55b7Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
memory/2020-2-0x0000000074E60000-0x0000000075411000-memory.dmpFilesize
5.7MB
-
memory/2020-1-0x0000000074E60000-0x0000000075411000-memory.dmpFilesize
5.7MB
-
memory/2020-0-0x0000000074E62000-0x0000000074E63000-memory.dmpFilesize
4KB
-
memory/2020-64-0x0000000074E60000-0x0000000075411000-memory.dmpFilesize
5.7MB
-
memory/4924-13-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4924-18-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4924-17-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4924-65-0x0000000000C00000-0x0000000000DA5000-memory.dmpFilesize
1.6MB
-
memory/4924-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB