General

  • Target

    578be57bf60176b1a6ba94beb599d847_JaffaCakes118

  • Size

    355KB

  • Sample

    240331-sa3wpsed55

  • MD5

    578be57bf60176b1a6ba94beb599d847

  • SHA1

    ee8fa7fbc702ecb3e75501db90f997b3baea7fd7

  • SHA256

    752a463f53217bf6d840acea3c578404ecf501952e634c72a96d746211799c64

  • SHA512

    c973b10a238bdb02499acd43067cb24292413c4c15b1454c3366bd47bf88df0637e59f942333eb09be7936497f64e46ec5919263e43ad38fc37b2f7e5cbfaa75

  • SSDEEP

    6144:X/7LfUdUTLyMuQ1cic7C1JMtJYouLkFSLS8BxpQQ1obDyoE3L6yI:X/7LfbTORQt1StJtMkFSuOlWCoE3

Malware Config

Extracted

Family

lokibot

C2

http://jinolla.cf/states/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      578be57bf60176b1a6ba94beb599d847_JaffaCakes118

    • Size

      355KB

    • MD5

      578be57bf60176b1a6ba94beb599d847

    • SHA1

      ee8fa7fbc702ecb3e75501db90f997b3baea7fd7

    • SHA256

      752a463f53217bf6d840acea3c578404ecf501952e634c72a96d746211799c64

    • SHA512

      c973b10a238bdb02499acd43067cb24292413c4c15b1454c3366bd47bf88df0637e59f942333eb09be7936497f64e46ec5919263e43ad38fc37b2f7e5cbfaa75

    • SSDEEP

      6144:X/7LfUdUTLyMuQ1cic7C1JMtJYouLkFSLS8BxpQQ1obDyoE3L6yI:X/7LfbTORQt1StJtMkFSuOlWCoE3

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks