Overview

overview

10

Static

static

3

1eeb57c087...18.exe

windows7-x64

10

1eeb57c087...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    1eeb57c0877a06d18aa028e87d5158b4

  • SHA1

    d086921faba08c2600d862b680b70a53a3bfb88e

  • SHA256

    d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3

  • SHA512

    16303c9bcedbfe4c5d6c953e39a98014d7f355e1c6413f960094840fb9e7f581832cc54a0557cc81e3e212f48c82d6897bcbaa4bc3fdecb72043757349f153b1

  • SSDEEP

    24576:zglru6TUwOFJqxotNMKoGAIp7WfJ8H7bDdwb6ju63uNF+:cSva65pE8XDVaNw

Score
10/10
lokibotcollectionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://djanic.duckdns.org/fashion/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1eeb57c0877a06d18aa028e87d5158b4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe
      "C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\TapiUnattend.exe
        "C:\Windows\System32\TapiUnattend.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Jpxq
    Filesize

    581KB

    MD5

    625f27cb29149f99eb93735d15e69d80

    SHA1

    6e1ceb59b5f2985753cf4b9331fd0b5ee7d606a6

    SHA256

    864d203102cd402deb72fbf66b27fb288d8cd3cb0b1cd879c13cc31aa904bdc6

    SHA512

    64e3ea68f6c27d57b9a10b8e0ccb1b439bda38621d04cae08d787506dd07f49517a94852597c72c4a0061d155369bf2881b01ed7c93f7a3dbc9ed339a153bd24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe
    Filesize

    852KB

    MD5

    6a8b19b1a958e846116ffe3ea5ca5cd6

    SHA1

    c6b75c86600d47b686e4f10b09810b6583b4843e

    SHA256

    feec0a596b7e08a8221650ae960b986ccc7e4634db6257c66325e8d2fdc7b04c

    SHA512

    037306796aa558cadaebfbe5ba6bfb8a0e4ad83976269a5ab693306842aa7e58470d2957400b75e94a683a0cfe9ed11b83311d754b72a4c3d22cd1cb08b00e3f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BAD3BF\F1BA70.exe
    Filesize

    12KB

    MD5

    d5bffd755f566aaacb57cf83fdaa5cd0

    SHA1

    16a24f8718fe0927517d6e75206beb3988c01177

    SHA256

    9ffa72ead7927f09d7106c62d5fde25e27f7bff27099101e15e5f7e903cd00f4

    SHA512

    a20361dc3e9a4dc973bee58e4e1d2047b82efed3a48fcb2d3ed4613207bd83fda7bae4e716796a37595f9decab87236df159c9de9a468dfbde9205677e1dc21d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BAD3BF\F1BA70.hdb
    Filesize

    4B

    MD5

    7b6821c03d45d0f441e8a4f8a5acdf1d

    SHA1

    e8bdbaa8bc2c0597ff9dc1031b9a01cc22371905

    SHA256

    a1083c91f85a7980b062fd204f2a435ea40575f4933c4950ade6f68c134c4388

    SHA512

    35fc3b3ace64ea80b93d4f37318bb73b7e7d6949d573a68e737def5f12b8dcc3a8f74afe12169f65b020f549d24727f64636aa966c2f059708133e87d3420811

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3411335054-1982420046-2118495756-1000\0f5007522459c86e95ffcc62f32308f1_e7a16734-7acf-4ca3-a39d-c3eddafc0513
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3411335054-1982420046-2118495756-1000\0f5007522459c86e95ffcc62f32308f1_e7a16734-7acf-4ca3-a39d-c3eddafc0513
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • memory/1312-21-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1312-24-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1312-45-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1312-23-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1636-51-0x0000000000400000-0x00000000004DB000-memory.dmp

    Filesize

    876KB

    Download

  • memory/1636-11-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1736-50-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1736-72-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download