General

  • Target

    e6264b60743e648233defe5dc124b9aa_JaffaCakes118

  • Size

    516KB

  • Sample

    240407-3vk7haac3s

  • MD5

    e6264b60743e648233defe5dc124b9aa

  • SHA1

    88dc1d4dce3de5e6797baf34e9000d188587071b

  • SHA256

    56962cd0611f65c29cb8dc9917483599c201ec067ca1b5db314a88fc56b88666

  • SHA512

    34ee1f5509cd9f5541ba697be30135d85464cc81f9f16258d1813a31188b7bdf597d9a9b1a6945d86e5518ab409282ed186cb392e62e1366e994157f205b7478

  • SSDEEP

    6144:SggZh8na5hseoU6qaX1IDqgZ2wN0xRGozt98eciU6+4OFqU5IuhGhQNDWk+SKeg7:SF8yoqaX1CqS81JaeRu4OsRuYekMKX

Malware Config

Extracted

Family

lokibot

C2

http://fossilcourt.com/temp/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      e6264b60743e648233defe5dc124b9aa_JaffaCakes118

    • Size

      516KB

    • MD5

      e6264b60743e648233defe5dc124b9aa

    • SHA1

      88dc1d4dce3de5e6797baf34e9000d188587071b

    • SHA256

      56962cd0611f65c29cb8dc9917483599c201ec067ca1b5db314a88fc56b88666

    • SHA512

      34ee1f5509cd9f5541ba697be30135d85464cc81f9f16258d1813a31188b7bdf597d9a9b1a6945d86e5518ab409282ed186cb392e62e1366e994157f205b7478

    • SSDEEP

      6144:SggZh8na5hseoU6qaX1IDqgZ2wN0xRGozt98eciU6+4OFqU5IuhGhQNDWk+SKeg7:SF8yoqaX1CqS81JaeRu4OsRuYekMKX

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks