General

  • Target

    10f00b9571c2ca08223254712e04cb34_JaffaCakes118

  • Size

    224KB

  • Sample

    240503-txxhwaba5z

  • MD5

    10f00b9571c2ca08223254712e04cb34

  • SHA1

    78776ff2a1031f021b4764069177d105b40998f2

  • SHA256

    6dce87b276d0486a8d39d71e4c4f5834ff0f9b39c9af76e70f58c3b8d3397ce8

  • SHA512

    f6a957f921a8ddcc3597c14161c3764f69f9f02429c6fcd9558bb10138258be29871135efcce86c6a38c68ccb3697cde7baa8402b3371eebcf17ecb12d3ea256

  • SSDEEP

    6144:KkK5q1uHSmmVvwiFUl2UnwmsdpxsW4SYmOZnPWeQCSJ:B8tHSmmlwi5ysdp+hSYmOZnPWeQCS

Malware Config

Extracted

Family

lokibot

C2

http://144.172.73.237/ml/mxb-lok/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      10f00b9571c2ca08223254712e04cb34_JaffaCakes118

    • Size

      224KB

    • MD5

      10f00b9571c2ca08223254712e04cb34

    • SHA1

      78776ff2a1031f021b4764069177d105b40998f2

    • SHA256

      6dce87b276d0486a8d39d71e4c4f5834ff0f9b39c9af76e70f58c3b8d3397ce8

    • SHA512

      f6a957f921a8ddcc3597c14161c3764f69f9f02429c6fcd9558bb10138258be29871135efcce86c6a38c68ccb3697cde7baa8402b3371eebcf17ecb12d3ea256

    • SSDEEP

      6144:KkK5q1uHSmmVvwiFUl2UnwmsdpxsW4SYmOZnPWeQCSJ:B8tHSmmlwi5ysdp+hSYmOZnPWeQCS

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks