General

  • Target

    4f9a6937b1bb97f14cf0bac59fbde3a8_JaffaCakes118

  • Size

    244KB

  • Sample

    240331-g7rn6afb7y

  • MD5

    4f9a6937b1bb97f14cf0bac59fbde3a8

  • SHA1

    e9be17e15e74634171c44fa84c28d256747de3fd

  • SHA256

    1d55c9d6edbd2a75e3202646ddd3649e3249ba8b43ff051299859a5edd258cf6

  • SHA512

    9776b111c1982e82e38fa7743839e06736a6fe77296c4f0e6515a4526f046ff0b201f4b77a6765fccd0f4d721d9db1455a57d86d3f42895fd6a17184bca9e0b0

  • SSDEEP

    6144:wBlL/c6XIho4w4nHSKyJ+BlY5QM2bJ7kLYzKztkBB/k6z49:CeOD4w4HHY+BlcVWJ7kLvzAB/jC

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=745675

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      4f9a6937b1bb97f14cf0bac59fbde3a8_JaffaCakes118

    • Size

      244KB

    • MD5

      4f9a6937b1bb97f14cf0bac59fbde3a8

    • SHA1

      e9be17e15e74634171c44fa84c28d256747de3fd

    • SHA256

      1d55c9d6edbd2a75e3202646ddd3649e3249ba8b43ff051299859a5edd258cf6

    • SHA512

      9776b111c1982e82e38fa7743839e06736a6fe77296c4f0e6515a4526f046ff0b201f4b77a6765fccd0f4d721d9db1455a57d86d3f42895fd6a17184bca9e0b0

    • SSDEEP

      6144:wBlL/c6XIho4w4nHSKyJ+BlY5QM2bJ7kLYzKztkBB/k6z49:CeOD4w4HHY+BlcVWJ7kLvzAB/jC

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/phzgia.dll

    • Size

      42KB

    • MD5

      fadd6e52f774915df3d8ad879bd957d9

    • SHA1

      89b91131d77380a6514d1aa609ff3f5187153133

    • SHA256

      88430ee3f7acaae7ce13b9d5df10a8851df927767f3f660f13fdc9ca4edf106f

    • SHA512

      25f05f83a789556dd42a4f609c357aa8c40663673ea2a5beee02f88564c3c142b747481e714daaf578361d8940d93bc08ae6bd6a1c1582b285e1a4cd94566054

    • SSDEEP

      768:IYjfeAOj7jaorohxhtyqFF66UaXS2yn1+AOjylWJ:IYjmAu7GDh6Z1+AOjyC

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks