General

  • Target

    183d893845a51e01418992483191c9a2_JaffaCakes118

  • Size

    476KB

  • Sample

    240505-sg4rksgf26

  • MD5

    183d893845a51e01418992483191c9a2

  • SHA1

    4ee5c62db9d70074b2d6a15953e21667706e1f33

  • SHA256

    e0901ef3e5ebff335dffe5f654159c85f35345ccd93f1a72cce1866a93af0fda

  • SHA512

    708e0b90c6e20f64387d2ea3377bd4f827b269cdc9a921e20e1334b975c5d2d5b3fab19eb1033767a6868ef10e5edd536d518f724ad538a3bc05f94017b092af

  • SSDEEP

    12288:qFAsaKa799jzLck72I7TxmMYQMHaOHUmqlcluG:eTa7jzck72IxTl6jHcG

Malware Config

Extracted

Family

lokibot

C2

http://mclhk-net.com/hiswounds/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      183d893845a51e01418992483191c9a2_JaffaCakes118

    • Size

      476KB

    • MD5

      183d893845a51e01418992483191c9a2

    • SHA1

      4ee5c62db9d70074b2d6a15953e21667706e1f33

    • SHA256

      e0901ef3e5ebff335dffe5f654159c85f35345ccd93f1a72cce1866a93af0fda

    • SHA512

      708e0b90c6e20f64387d2ea3377bd4f827b269cdc9a921e20e1334b975c5d2d5b3fab19eb1033767a6868ef10e5edd536d518f724ad538a3bc05f94017b092af

    • SSDEEP

      12288:qFAsaKa799jzLck72I7TxmMYQMHaOHUmqlcluG:eTa7jzck72IxTl6jHcG

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Deletes itself

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks