General

  • Target

    0206ca0ddad918a6121ac709b3599cea_JaffaCakes118

  • Size

    427KB

  • Sample

    240328-k9j9mshc3v

  • MD5

    0206ca0ddad918a6121ac709b3599cea

  • SHA1

    b3368b58520018264475688f66ee1c3406eea411

  • SHA256

    3781d189279634e678c92e0d9146beae3c975f8c610e5464cc21a3ba645d00d7

  • SHA512

    e488d2f93837e4466a584b6afe869d537f2144fc34ee074c21a8b9a90b778a04c3fb7cf5e76ba3655fde6bbf05e51907eb6376041a7707849df68ab2788d730a

  • SSDEEP

    6144:gMlgrNCNMjbVs/cJeV5Gx0Sz21TWFs5Q6xrcyFozSm2S9JNXRO5Y:+YBcJsG3SQdvyuX9DRO5

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=88934

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      0206ca0ddad918a6121ac709b3599cea_JaffaCakes118

    • Size

      427KB

    • MD5

      0206ca0ddad918a6121ac709b3599cea

    • SHA1

      b3368b58520018264475688f66ee1c3406eea411

    • SHA256

      3781d189279634e678c92e0d9146beae3c975f8c610e5464cc21a3ba645d00d7

    • SHA512

      e488d2f93837e4466a584b6afe869d537f2144fc34ee074c21a8b9a90b778a04c3fb7cf5e76ba3655fde6bbf05e51907eb6376041a7707849df68ab2788d730a

    • SSDEEP

      6144:gMlgrNCNMjbVs/cJeV5Gx0Sz21TWFs5Q6xrcyFozSm2S9JNXRO5Y:+YBcJsG3SQdvyuX9DRO5

    • Detect ZGRat V1

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks