lokibot | e8f587c973bb2b5185385665dd4b34da8839e2a941e2bb72d4398d2fbba6fdc3

General

Target

0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe
Size

351KB
MD5

0ec671099338a885ecf699354bd327e1
SHA1

b970b226ae75b9c41c4680172ebb39192e079727
SHA256

e8f587c973bb2b5185385665dd4b34da8839e2a941e2bb72d4398d2fbba6fdc3
SHA512

e4f9caae68e33e0efdbbb7ae1079556b2a771c2cfe5a8a7ec6538bf649d0d37f6902104f0dbc96b03e1d3129b13091943398575a87d2c96502dc5d8c8ad15cbf
SSDEEP

6144:mOijv8/XTkGxI6tca+uO89W8P7d112msqDGYOU:mcfDxI4ca+udI8J1lDpx

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://primausaha.net/uv/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe

description pid process target process

PID 4784 set thread context of 4704 4784 0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe

pid process

4784 0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe
4784 0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0ec671099338a885ecf699354bd327e1_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4784 0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe
Token: SeDebugPrivilege 4704 RegAsm.exe

description	pid	process	target process
PID 4784 set thread context of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe

pid	process
4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe
4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4704	RegAsm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0ec671099338a885ecf699354bd327e1_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 4784 wrote to memory of 808	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	csc.exe
PID 4784 wrote to memory of 808	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	csc.exe
PID 4784 wrote to memory of 808	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	csc.exe
PID 808 wrote to memory of 396	808	csc.exe	cvtres.exe
PID 808 wrote to memory of 396	808	csc.exe	cvtres.exe
PID 808 wrote to memory of 396	808	csc.exe	cvtres.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe
PID 4784 wrote to memory of 4704	4784	0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ec671099338a885ecf699354bd327e1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jomdlvvg\jomdlvvg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39BD.tmp" "c:\Users\Admin\AppData\Local\Temp\jomdlvvg\CSCACB33EED8C4C4C2CB5D787F144D7B2BC.TMP"
    3⤵
    PID:396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES39BD.tmp

Filesize
1KB

MD5
be7137421095780e4ab7126e8c4399e9

SHA1
073d7ccf0bbb037128e6a7211f6e3fb3f442e8d9

SHA256
ee3d320becaae0cf523db59d8123b1df38aa6897a709392fe8fe629d13d3a763

SHA512
4baf7818ad5b7d1c25857c2119ee7b31157828788c949afb140bb4477bb2fa4b8cff5c11014e14057e5f20c140ad09b394d4431af679a8ecfb2b1c95ed067acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jomdlvvg\jomdlvvg.dll

Filesize
6KB

MD5
16070c26124ea310928b56f589521dbb

SHA1
23379c91ad1e7091ea82007e0f98a89c88c9d3f4

SHA256
2ebb564dba7991a63689175ce2880bd2003d63e67de89fa22f6103854e217ec5

SHA512
34b0780d4b949f69b43ad9a4377c195d1fa00c205a4920759e94677df76b17b193a2512cae9572ea14cda3accbf42b52bc3327b42317abc1ff9eb5fa33a69093

Download Submit
C:\Users\Admin\AppData\Local\Temp\jomdlvvg\jomdlvvg.pdb

Filesize
17KB

MD5
2a6d23216da2015ddc3d35cc0413c963

SHA1
83c88ef53bca0867a232fb95c96bda2bd349eadc

SHA256
192dbd10a2787f101ccb8ed3ac2f718bd4241c8fbdb900805c604f318071bf05

SHA512
6e49aa3c3f049a276cae9a8ea6afabf931094ab8612de452ebe61d50d21cb51eecb260b3847bc18b0a5503afb75c5d809431fdb1491926afbf2dd20edfbd71ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-711569230-3659488422-571408806-1000\0f5007522459c86e95ffcc62f32308f1_5fd6b8d9-48b3-42c0-adc7-08f9fe7c965e

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-711569230-3659488422-571408806-1000\0f5007522459c86e95ffcc62f32308f1_5fd6b8d9-48b3-42c0-adc7-08f9fe7c965e

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jomdlvvg\CSCACB33EED8C4C4C2CB5D787F144D7B2BC.TMP

Filesize
1KB

MD5
012b9c96fdb21759d09f5906c3ac1d29

SHA1
03b9910bca697b80a3609576652309bcdcfb9a17

SHA256
5390b3a06829747cfb44dae293f64e363830973583ec9843426156eded3cece6

SHA512
c02fbab2d34fde68b1bf9b07bfb25783ba9cbaf69bfe1ff4db522991f07f046c2abece4d0f6678f12708b4c4f4efc9778d3a9bea951ce8cbaccfdd9748d15c48

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jomdlvvg\jomdlvvg.0.cs

Filesize
3KB

MD5
f12c78a72c80344348e4a53d82082b20

SHA1
5a0faca1772ce426a0f8518fe07032e2c5b9fe6c

SHA256
dad0a8f3eb677d3f13f7312f01de0a40b4553dbc172c9a31b482fb106ed8254f

SHA512
2f03239cd5315336edb0deaed8ee05fa00ca534471a566089c0aadb6746984ca25a1c69e76c55f2820a97950f41c48cd009c7fe9ab382a90ef42bddaa70b1353

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jomdlvvg\jomdlvvg.cmdline

Filesize
312B

MD5
0b1524e129885a7916468859f61dc18a

SHA1
b3a874b93a45ff148e4c8d526a6a63f052f3acae

SHA256
82f4d8d995783b1f692d9ae6692c8f5b30974ab258c63d25b124a917341b01a2

SHA512
b0a41cbb0e83c6c469345e3d73a85d0766add6de4cf107a1b0464e8eb2f821fafbe0a2256741ccc9fc80e17cc0aae3d45feeee0e76239c688fb83845adaf7184

Download Submit
memory/4704-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4704-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4704-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4704-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4784-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/4784-22-0x00000000054F0000-0x0000000005592000-memory.dmp

Filesize
648KB

Download
memory/4784-23-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/4784-17-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/4784-21-0x00000000050A0000-0x00000000050AC000-memory.dmp

Filesize
48KB

Download
memory/4784-20-0x00000000054C0000-0x00000000054EA000-memory.dmp

Filesize
168KB

Download
memory/4784-28-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4784-5-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4784-1-0x0000000000680000-0x00000000006C6000-memory.dmp

Filesize
280KB

Download
memory/4784-19-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads