lokibot | d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3

General

Target

1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
Size

1.0MB
MD5

1eeb57c0877a06d18aa028e87d5158b4
SHA1

d086921faba08c2600d862b680b70a53a3bfb88e
SHA256

d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3
SHA512

16303c9bcedbfe4c5d6c953e39a98014d7f355e1c6413f960094840fb9e7f581832cc54a0557cc81e3e212f48c82d6897bcbaa4bc3fdecb72043757349f153b1
SSDEEP

24576:zglru6TUwOFJqxotNMKoGAIp7WfJ8H7bDdwb6ju63uNF+:cSva65pE8XDVaNw

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://djanic.duckdns.org/fashion/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

Jpxquhr.exe

pid process

2712 Jpxquhr.exe

pid	process
2712	Jpxquhr.exe

Loads dropped DLL 3 IoCs

Processes:

1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe

pid	process
1736	1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
1736	1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
1736	1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

TapiUnattend.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	TapiUnattend.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	TapiUnattend.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	TapiUnattend.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jpxquhr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jpxq = "C:\\Users\\Admin\\AppData\\Local\\Jpxq\\Jpxq_setko.hta"	Jpxquhr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Jpxquhr.exe

description	pid	process	target process
PID 2712 set thread context of 2196	2712	Jpxquhr.exe	TapiUnattend.exe
PID 2712 set thread context of 1640	2712	Jpxquhr.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Jpxquhr.exe

pid process

2712 Jpxquhr.exe
2712 Jpxquhr.exe
2712 Jpxquhr.exe
2712 Jpxquhr.exe
2712 Jpxquhr.exe
2712 Jpxquhr.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TapiUnattend.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2196 TapiUnattend.exe
Token: SeDebugPrivilege 1640 svchost.exe

pid	process
2712	Jpxquhr.exe
2712	Jpxquhr.exe
2712	Jpxquhr.exe
2712	Jpxquhr.exe
2712	Jpxquhr.exe
2712	Jpxquhr.exe

description	pid	process
Token: SeDebugPrivilege	2196	TapiUnattend.exe
Token: SeDebugPrivilege	1640	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exeJpxquhr.exe

description	pid	process	target process
PID 1736 wrote to memory of 2712	1736	1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe	Jpxquhr.exe
PID 1736 wrote to memory of 2712	1736	1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe	Jpxquhr.exe
PID 1736 wrote to memory of 2712	1736	1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe	Jpxquhr.exe
PID 1736 wrote to memory of 2712	1736	1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe	Jpxquhr.exe
PID 2712 wrote to memory of 2196	2712	Jpxquhr.exe	TapiUnattend.exe
PID 2712 wrote to memory of 2196	2712	Jpxquhr.exe	TapiUnattend.exe
PID 2712 wrote to memory of 2196	2712	Jpxquhr.exe	TapiUnattend.exe
PID 2712 wrote to memory of 2196	2712	Jpxquhr.exe	TapiUnattend.exe
PID 2712 wrote to memory of 2196	2712	Jpxquhr.exe	TapiUnattend.exe
PID 2712 wrote to memory of 2196	2712	Jpxquhr.exe	TapiUnattend.exe
PID 2712 wrote to memory of 1640	2712	Jpxquhr.exe	svchost.exe
PID 2712 wrote to memory of 1640	2712	Jpxquhr.exe	svchost.exe
PID 2712 wrote to memory of 1640	2712	Jpxquhr.exe	svchost.exe
PID 2712 wrote to memory of 1640	2712	Jpxquhr.exe	svchost.exe
PID 2712 wrote to memory of 1640	2712	Jpxquhr.exe	svchost.exe
PID 2712 wrote to memory of 1640	2712	Jpxquhr.exe	svchost.exe

outlook_office_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe
  "C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\TapiUnattend.exe
    "C:\Windows\System32\TapiUnattend.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jpxq

Filesize
581KB

MD5
625f27cb29149f99eb93735d15e69d80

SHA1
6e1ceb59b5f2985753cf4b9331fd0b5ee7d606a6

SHA256
864d203102cd402deb72fbf66b27fb288d8cd3cb0b1cd879c13cc31aa904bdc6

SHA512
64e3ea68f6c27d57b9a10b8e0ccb1b439bda38621d04cae08d787506dd07f49517a94852597c72c4a0061d155369bf2881b01ed7c93f7a3dbc9ed339a153bd24

Download Submit
C:\Users\Admin\AppData\Roaming\3F3E7E\EDC854.exe

Filesize
11KB

MD5
fbd07354e3ecd632bbc9b49da0067fc5

SHA1
171a70f4b3414e87c917602fe7136f1af22fdd06

SHA256
b4e32ebc08ba8e7e2d952e7baeadddd971b5f6357066ba64d1a69c02daaa33ad

SHA512
9e83359c5ad6a3e1130d043ad2ad9bcab63f18a153572ba724e142d078e0b093a6285020d309ee1ac7f469f94737661473368a7fc6ced58e920a81bf070ece99

Download Submit
C:\Users\Admin\AppData\Roaming\3F3E7E\EDC854.hdb

Filesize
4B

MD5
6e5991ad90048a48f15753189db599f6

SHA1
40b28a210d8579ea0b49c1c79351ff45db5f1e01

SHA256
57151d64d3b54250d35016c2146be081d2692976edc824233d5556b973ff80d7

SHA512
4347af77f90c2ca1ea4a66acc7d4005322fbe41f719c8edbe3a4dfc4188912c0f550da155ed2637ad060960ea2f45dee15f1e341c05c702995f040a09ceada87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\Jpxquhr.exe

Filesize
852KB

MD5
6a8b19b1a958e846116ffe3ea5ca5cd6

SHA1
c6b75c86600d47b686e4f10b09810b6583b4843e

SHA256
feec0a596b7e08a8221650ae960b986ccc7e4634db6257c66325e8d2fdc7b04c

SHA512
037306796aa558cadaebfbe5ba6bfb8a0e4ad83976269a5ab693306842aa7e58470d2957400b75e94a683a0cfe9ed11b83311d754b72a4c3d22cd1cb08b00e3f

Download Submit
memory/1640-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1640-82-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2196-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2196-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2196-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2196-30-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2196-54-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2196-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2712-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2712-81-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads