General

  • Target

    438c7099d2a7a5711c7f04e1fd1ae1c1_JaffaCakes118

  • Size

    324KB

  • Sample

    240330-y9pq1sdh5w

  • MD5

    438c7099d2a7a5711c7f04e1fd1ae1c1

  • SHA1

    5ca34ec712b5cc95a97701beb7e12d2035eab09c

  • SHA256

    daad8d72469b40a070a2392c8961a11501b1d1bc64075931c4a15ac04c44c07d

  • SHA512

    d15616adad2cb247b4f3e17f28b0f89c4d765842db3b1fac8b45963ab352a8fd0aad0e213fb2a7519c2f2dad95e6bfba0fac4e7efa6af8058be51a86f526c5c5

  • SSDEEP

    6144:W34Ca/GvYdGoIbyDo85ThHxlesuGp2DGHN+7TyoHyhMB941Lwx:WX+GwdGoI+s81tTuext+vyofB9WE

Malware Config

Extracted

Family

lokibot

C2

http://checkvim.com/fd7/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      438c7099d2a7a5711c7f04e1fd1ae1c1_JaffaCakes118

    • Size

      324KB

    • MD5

      438c7099d2a7a5711c7f04e1fd1ae1c1

    • SHA1

      5ca34ec712b5cc95a97701beb7e12d2035eab09c

    • SHA256

      daad8d72469b40a070a2392c8961a11501b1d1bc64075931c4a15ac04c44c07d

    • SHA512

      d15616adad2cb247b4f3e17f28b0f89c4d765842db3b1fac8b45963ab352a8fd0aad0e213fb2a7519c2f2dad95e6bfba0fac4e7efa6af8058be51a86f526c5c5

    • SSDEEP

      6144:W34Ca/GvYdGoIbyDo85ThHxlesuGp2DGHN+7TyoHyhMB941Lwx:WX+GwdGoI+s81tTuext+vyofB9WE

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks