General

  • Target

    0792989f119bbd40d5007b97dcd1686e_JaffaCakes118

  • Size

    464KB

  • Sample

    240429-nqagwahh7x

  • MD5

    0792989f119bbd40d5007b97dcd1686e

  • SHA1

    04b8ea7bd95bb0431f0ec449c8acde6e82dbc882

  • SHA256

    f41b9c371e86408b1247d6465b36ba7134ca8c081580ad5fb0e913d215263ad3

  • SHA512

    3a7ccac62d3b2fbbd84b77952e0d013da439bff39d4ffdd44bdcc9878e27bd4a20405c09b6a00edc4ffa986f3602bdee3350fbd5d14a3eaf2beba62bec9e067a

  • SSDEEP

    6144:eEpmSltsbiQnYW3rGhPLLlI13JvQIFSb22PKKRaHoNuQQQQQO8:eEpubiQN3ahPnlPO222rYIN88

Malware Config

Extracted

Family

lokibot

C2

http://angelbiss.space/html/1/8/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      0792989f119bbd40d5007b97dcd1686e_JaffaCakes118

    • Size

      464KB

    • MD5

      0792989f119bbd40d5007b97dcd1686e

    • SHA1

      04b8ea7bd95bb0431f0ec449c8acde6e82dbc882

    • SHA256

      f41b9c371e86408b1247d6465b36ba7134ca8c081580ad5fb0e913d215263ad3

    • SHA512

      3a7ccac62d3b2fbbd84b77952e0d013da439bff39d4ffdd44bdcc9878e27bd4a20405c09b6a00edc4ffa986f3602bdee3350fbd5d14a3eaf2beba62bec9e067a

    • SSDEEP

      6144:eEpmSltsbiQnYW3rGhPLLlI13JvQIFSb22PKKRaHoNuQQQQQO8:eEpubiQN3ahPnlPO222rYIN88

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks