General

  • Target

    41c7a84edea3aed7716f275742a3b11e_JaffaCakes118

  • Size

    357KB

  • Sample

    240330-xbvzpscf75

  • MD5

    41c7a84edea3aed7716f275742a3b11e

  • SHA1

    df58f3c713c79a1b93494209c2dc7616aa5347df

  • SHA256

    89658fee4b1a9799ebf59268e6cacc696d326cd97afaa5cc0d1592846fc2f5f3

  • SHA512

    b8443b8d5f2d0dd6518c18a4d0c6273c059a4f2de68d06cc1f74cd0846ff557a8ab9bca72cb6742dfb538f6b84cc7177aea2c059b3a630d69472a1533b50475a

  • SSDEEP

    6144:o6JXjjY4Klrvyo07mZjG7X7YoC7WBwwxc33fpEA/u2c1d6yIU:okYXRv9ZjuX7xC7WBqHB9/u2c1

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=475803

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      41c7a84edea3aed7716f275742a3b11e_JaffaCakes118

    • Size

      357KB

    • MD5

      41c7a84edea3aed7716f275742a3b11e

    • SHA1

      df58f3c713c79a1b93494209c2dc7616aa5347df

    • SHA256

      89658fee4b1a9799ebf59268e6cacc696d326cd97afaa5cc0d1592846fc2f5f3

    • SHA512

      b8443b8d5f2d0dd6518c18a4d0c6273c059a4f2de68d06cc1f74cd0846ff557a8ab9bca72cb6742dfb538f6b84cc7177aea2c059b3a630d69472a1533b50475a

    • SSDEEP

      6144:o6JXjjY4Klrvyo07mZjG7X7YoC7WBwwxc33fpEA/u2c1d6yIU:okYXRv9ZjuX7xC7WBqHB9/u2c1

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks