lokibot | 7aeaa9cbabc54c36844d5852172c449865bf4c524693ae7aa9909b87627052fa

General

Target

kayo.exe
Size

29KB
MD5

7b9af96c1828d52a8d6380b02ef72c18
SHA1

28a32a49f3d857ba4e869901e85328b2fa2cdc10
SHA256

7aeaa9cbabc54c36844d5852172c449865bf4c524693ae7aa9909b87627052fa
SHA512

c50ed68634623a85754c32b79ee3a264b327892867e21888b6d9d14b2ef57a2782fa588446b650c29ba0b795dc1291546c40aea27fb5ec8d85ff9226bc87e04f

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://amrp.tw/kayo/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

kayo.exe

pid	process
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe
428	kayo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kayo.exe

description pid process target process

PID 428 set thread context of 2772 428 kayo.exe kayo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

420 428 WerFault.exe kayo.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3508 timeout.exe

description	pid	process	target process
PID 428 set thread context of 2772	428	kayo.exe	kayo.exe

pid	pid_target	process	target process
420	428	WerFault.exe	kayo.exe

pid	process
3508	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

kayo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	kayo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kayo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kayo.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

kayo.exeWerFault.exe

pid	process
428	kayo.exe
428	kayo.exe
428	kayo.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

kayo.exe

pid process

2772 kayo.exe

pid	process
2772	kayo.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

kayo.exeWerFault.exekayo.exe

description	pid	process
Token: SeDebugPrivilege	428	kayo.exe
Token: SeRestorePrivilege	420	WerFault.exe
Token: SeBackupPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	2772	kayo.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

kayo.execmd.exe

description	pid	process	target process
PID 428 wrote to memory of 2292	428	kayo.exe	cmd.exe
PID 428 wrote to memory of 2292	428	kayo.exe	cmd.exe
PID 428 wrote to memory of 2292	428	kayo.exe	cmd.exe
PID 2292 wrote to memory of 3508	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 3508	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 3508	2292	cmd.exe	timeout.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe
PID 428 wrote to memory of 2772	428	kayo.exe	kayo.exe

C:\Users\Admin\AppData\Local\Temp\kayo.exe
"C:\Users\Admin\AppData\Local\Temp\kayo.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3508

C:\Users\Admin\AppData\Local\Temp\kayo.exe
"C:\Users\Admin\AppData\Local\Temp\kayo.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 2660
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-14-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/428-2-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/428-3-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/428-5-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/428-6-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/428-7-0x0000000005780000-0x00000000057AB000-memory.dmp

Filesize
172KB

Download
memory/428-10-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/2292-8-0x0000000000000000-mapping.dmp

Download
memory/2772-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2772-12-0x00000000004139DE-mapping.dmp

Download
memory/2772-13-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3508-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads