Overview

overview

10

Static

static

3

1eeb57c087...18.exe

windows7-x64

10

1eeb57c087...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240507-begetsec37

  • MD5

    1eeb57c0877a06d18aa028e87d5158b4

  • SHA1

    d086921faba08c2600d862b680b70a53a3bfb88e

  • SHA256

    d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3

  • SHA512

    16303c9bcedbfe4c5d6c953e39a98014d7f355e1c6413f960094840fb9e7f581832cc54a0557cc81e3e212f48c82d6897bcbaa4bc3fdecb72043757349f153b1

  • SSDEEP

    24576:zglru6TUwOFJqxotNMKoGAIp7WfJ8H7bDdwb6ju63uNF+:cSva65pE8XDVaNw

Score
10/10
lokibotcollectionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://djanic.duckdns.org/fashion/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118

    • Size

      1.0MB

    • MD5

      1eeb57c0877a06d18aa028e87d5158b4

    • SHA1

      d086921faba08c2600d862b680b70a53a3bfb88e

    • SHA256

      d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3

    • SHA512

      16303c9bcedbfe4c5d6c953e39a98014d7f355e1c6413f960094840fb9e7f581832cc54a0557cc81e3e212f48c82d6897bcbaa4bc3fdecb72043757349f153b1

    • SSDEEP

      24576:zglru6TUwOFJqxotNMKoGAIp7WfJ8H7bDdwb6ju63uNF+:cSva65pE8XDVaNw

    Score
    10/10
    lokibotcollectionpersistencespywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks