General
-
Target
00744fe561f64645c9039a7411b16ed0_JaffaCakes118
-
Size
879KB
-
Sample
240426-k8yqmsdd5t
-
MD5
00744fe561f64645c9039a7411b16ed0
-
SHA1
a77548ff2cb22a09a5bb7627b9e6db36ca7e0881
-
SHA256
640724862ac0094b9051a59dceba716e64c6ead2932065c3d17147b1d688ec5d
-
SHA512
15beb8f671646d7b865c7ebc10a3d990fe969e760584a5436081c7ce3fd6cb36c03770d8e701c448d85a6136736879d1eb22cecb36f8d1b7df6c2a4ad22daf04
-
SSDEEP
12288:IwvFPoLIp3hi7nzIeqtaMDLnw1iQd99hlm+esTCm4EcDw0ewxpVt3+Ofy:1tpxuMeqtaMD7e3Z32m4newnv3
Malware Config
Extracted
lokibot
http://csabulk.com/tens/sop/palm/ham/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
00744fe561f64645c9039a7411b16ed0_JaffaCakes118
-
Size
879KB
-
MD5
00744fe561f64645c9039a7411b16ed0
-
SHA1
a77548ff2cb22a09a5bb7627b9e6db36ca7e0881
-
SHA256
640724862ac0094b9051a59dceba716e64c6ead2932065c3d17147b1d688ec5d
-
SHA512
15beb8f671646d7b865c7ebc10a3d990fe969e760584a5436081c7ce3fd6cb36c03770d8e701c448d85a6136736879d1eb22cecb36f8d1b7df6c2a4ad22daf04
-
SSDEEP
12288:IwvFPoLIp3hi7nzIeqtaMDLnw1iQd99hlm+esTCm4EcDw0ewxpVt3+Ofy:1tpxuMeqtaMD7e3Z32m4newnv3
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-