lokibot | 20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9

General

Target

258c60b279a8debef184b5c01766604f_JaffaCakes118.exe
Size

280KB
MD5

258c60b279a8debef184b5c01766604f
SHA1

011f5dda5f08ac9f3ec5723ce3d54ad738f8a367
SHA256

20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9
SHA512

50d90c2eedbf941d6e38ab8274b11654bcf8b613c8aa03ba10fcc9a4ef29551ed88f47d21bb12c11648e7524a8d1fe73c11e0c8864d01b8c9fe0773952e5c313
SSDEEP

6144:72j756oaGYq2ygcOCJPExIn52TO18L63E4xK:yj09ygcOQZ5iO1u38K

Score

10^/10

lokibot nanocore collection evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://arenamedia.co.ke/include/dbes/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

nanocore

Version

1.2.2.0

C2

dbesth1.ddns.net:3455

154.16.220.30:3455

Mutex

3cea4056-063b-4394-b13d-4dc863235987

Attributes

activate_away_mode
true
backup_connection_host
154.16.220.30
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-04-10T23:16:59.261349436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3455
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3cea4056-063b-4394-b13d-4dc863235987
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dbesth1.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

personalLokiraw.exeNEWNANORAWFILE.exe

pid process

2632 personalLokiraw.exe
2708 NEWNANORAWFILE.exe
Loads dropped DLL 8 IoCs

Processes:

RegAsm.exe

pid process

1012 RegAsm.exe
1012 RegAsm.exe
1012 RegAsm.exe
1012 RegAsm.exe
1012 RegAsm.exe
1012 RegAsm.exe
1012 RegAsm.exe
1012 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2632	personalLokiraw.exe
2708	NEWNANORAWFILE.exe

pid	process
1012	RegAsm.exe
1012	RegAsm.exe
1012	RegAsm.exe
1012	RegAsm.exe
1012	RegAsm.exe
1012	RegAsm.exe
1012	RegAsm.exe
1012	RegAsm.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

personalLokiraw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	personalLokiraw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	personalLokiraw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	personalLokiraw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NEWNANORAWFILE.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEWNANORAWFILE.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

258c60b279a8debef184b5c01766604f_JaffaCakes118.exe

description pid process target process

PID 2168 set thread context of 1012 2168 258c60b279a8debef184b5c01766604f_JaffaCakes118.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

NEWNANORAWFILE.exe

pid process

2708 NEWNANORAWFILE.exe
2708 NEWNANORAWFILE.exe
2708 NEWNANORAWFILE.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NEWNANORAWFILE.exe

pid process

2708 NEWNANORAWFILE.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEWNANORAWFILE.exepersonalLokiraw.exe

description pid process

Token: SeDebugPrivilege 2708 NEWNANORAWFILE.exe
Token: SeDebugPrivilege 2632 personalLokiraw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEWNANORAWFILE.exe

description	pid	process	target process
PID 2168 set thread context of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe

pid	process
2708	NEWNANORAWFILE.exe
2708	NEWNANORAWFILE.exe
2708	NEWNANORAWFILE.exe

pid	process
2708	NEWNANORAWFILE.exe

description	pid	process
Token: SeDebugPrivilege	2708	NEWNANORAWFILE.exe
Token: SeDebugPrivilege	2632	personalLokiraw.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

258c60b279a8debef184b5c01766604f_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 2168 wrote to memory of 1012	2168	258c60b279a8debef184b5c01766604f_JaffaCakes118.exe	RegAsm.exe
PID 1012 wrote to memory of 2632	1012	RegAsm.exe	personalLokiraw.exe
PID 1012 wrote to memory of 2632	1012	RegAsm.exe	personalLokiraw.exe
PID 1012 wrote to memory of 2632	1012	RegAsm.exe	personalLokiraw.exe
PID 1012 wrote to memory of 2632	1012	RegAsm.exe	personalLokiraw.exe
PID 1012 wrote to memory of 2708	1012	RegAsm.exe	NEWNANORAWFILE.exe
PID 1012 wrote to memory of 2708	1012	RegAsm.exe	NEWNANORAWFILE.exe
PID 1012 wrote to memory of 2708	1012	RegAsm.exe	NEWNANORAWFILE.exe
PID 1012 wrote to memory of 2708	1012	RegAsm.exe	NEWNANORAWFILE.exe

outlook_office_path 1 IoCs

Processes:

personalLokiraw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	personalLokiraw.exe

outlook_win_path 1 IoCs

Processes:

personalLokiraw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	personalLokiraw.exe

C:\Users\Admin\AppData\Local\Temp\258c60b279a8debef184b5c01766604f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\258c60b279a8debef184b5c01766604f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\personalLokiraw.exe
"C:\Users\Admin\AppData\Local\Temp\personalLokiraw.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2632

C:\Users\Admin\AppData\Local\Temp\NEWNANORAWFILE.exe
"C:\Users\Admin\AppData\Local\Temp\NEWNANORAWFILE.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEWNANORAWFILE.exe
Filesize
202KB

MD5
9166f23c199bda8b6ece839f025935c4

SHA1
6afb426b23e941334c3b4c3600f9869614d9066b

SHA256
d90ed34f5755bfcc7c8b1d6d1094aeacfb90bd4a0e5fe0cbe6e8ec4fdf5b699e

SHA512
d1d3bb5a5db7b93a053b173942be4f0d1f950ec431b90c405556764f5811b2b8381bfdcd2d4fff2295a3d61c494b3a18611b78b0a5925ef7b978f62feb31b70b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\personalLokiraw.exe
Filesize
104KB

MD5
534fc86a04f5c637c6dd6925eee11ab4

SHA1
40992c472e6de00108dae6235b027a70113e190c

SHA256
db74dcbdae244181006c2e4d2243b209fd042641cc5d9f1fd994dd3a6a74b0f0

SHA512
81d3f58c84cc37307bea4bda49971753c746e78fb14138e5c46ca20c3a6673c060116b9db1a302e14307588849313e3b738df3d592b6f65de05c2e6f7c50a03c

Download Submit
memory/1012-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1012-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2168-15-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2168-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-91-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads