lokibot | e32e5feb177767ae1460812431ca445d2878a94d7730b75954787ae56f279c90

General

Target

2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
Size

916KB
MD5

2e3794c246b2692357c84d67a63eee8a
SHA1

6e4831f1fff710b0b85db2284077d1babcfff07c
SHA256

e32e5feb177767ae1460812431ca445d2878a94d7730b75954787ae56f279c90
SHA512

1830636041c17abe43ebbeac806176177a3c3e509c9b7bc1b66166c14ccf42f82743f73edabd19be729b0b09a31736e149c16962f1c36fc273223a7c58a6f5f0
SSDEEP

12288:xEm8Elt9sHIoUJWgt46eeZZJEIdHH4hiXmVOJ8Ah3yUr2:xEytTQgtl7ZZGiHqi2omA

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://31.220.2.120/~jhjgr/wp/wp-admin/includes/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSI981A.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSI981A.tmp
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSI981A.tmp
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSI981A.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MSI981A.tmp

description pid process target process

PID 4284 set thread context of 3012 4284 MSI981A.tmp MSI981A.tmp

description	pid	process	target process
PID 4284 set thread context of 3012	4284	MSI981A.tmp	MSI981A.tmp

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI981A.tmp	msiexec.exe
File created	C:\Windows\Installer\e579700.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579700.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

MSI981A.tmpMSI981A.tmp

pid process

4284 MSI981A.tmp
3012 MSI981A.tmp

pid	process
4284	MSI981A.tmp
3012	MSI981A.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1796 msiexec.exe
1796 msiexec.exe

pid	process
1796	msiexec.exe
1796	msiexec.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMSI981A.tmpsrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	5012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5012	msiexec.exe
Token: SeSecurityPrivilege	1796	msiexec.exe
Token: SeCreateTokenPrivilege	5012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5012	msiexec.exe
Token: SeLockMemoryPrivilege	5012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5012	msiexec.exe
Token: SeMachineAccountPrivilege	5012	msiexec.exe
Token: SeTcbPrivilege	5012	msiexec.exe
Token: SeSecurityPrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeLoadDriverPrivilege	5012	msiexec.exe
Token: SeSystemProfilePrivilege	5012	msiexec.exe
Token: SeSystemtimePrivilege	5012	msiexec.exe
Token: SeProfSingleProcessPrivilege	5012	msiexec.exe
Token: SeIncBasePriorityPrivilege	5012	msiexec.exe
Token: SeCreatePagefilePrivilege	5012	msiexec.exe
Token: SeCreatePermanentPrivilege	5012	msiexec.exe
Token: SeBackupPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeShutdownPrivilege	5012	msiexec.exe
Token: SeDebugPrivilege	5012	msiexec.exe
Token: SeAuditPrivilege	5012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5012	msiexec.exe
Token: SeChangeNotifyPrivilege	5012	msiexec.exe
Token: SeRemoteShutdownPrivilege	5012	msiexec.exe
Token: SeUndockPrivilege	5012	msiexec.exe
Token: SeSyncAgentPrivilege	5012	msiexec.exe
Token: SeEnableDelegationPrivilege	5012	msiexec.exe
Token: SeManageVolumePrivilege	5012	msiexec.exe
Token: SeImpersonatePrivilege	5012	msiexec.exe
Token: SeCreateGlobalPrivilege	5012	msiexec.exe
Token: SeBackupPrivilege	1688	vssvc.exe
Token: SeRestorePrivilege	1688	vssvc.exe
Token: SeAuditPrivilege	1688	vssvc.exe
Token: SeBackupPrivilege	1796	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeDebugPrivilege	3012	MSI981A.tmp
Token: SeBackupPrivilege	2808	srtasks.exe
Token: SeRestorePrivilege	2808	srtasks.exe
Token: SeSecurityPrivilege	2808	srtasks.exe
Token: SeTakeOwnershipPrivilege	2808	srtasks.exe
Token: SeBackupPrivilege	2808	srtasks.exe
Token: SeRestorePrivilege	2808	srtasks.exe
Token: SeSecurityPrivilege	2808	srtasks.exe
Token: SeTakeOwnershipPrivilege	2808	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

5012 msiexec.exe
5012 msiexec.exe

pid	process
5012	msiexec.exe
5012	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exeMSI981A.tmp

description	pid	process	target process
PID 1796 wrote to memory of 2808	1796	msiexec.exe	srtasks.exe
PID 1796 wrote to memory of 2808	1796	msiexec.exe	srtasks.exe
PID 1796 wrote to memory of 4284	1796	msiexec.exe	MSI981A.tmp
PID 1796 wrote to memory of 4284	1796	msiexec.exe	MSI981A.tmp
PID 1796 wrote to memory of 4284	1796	msiexec.exe	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp
PID 4284 wrote to memory of 3012	4284	MSI981A.tmp	MSI981A.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

MSI981A.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSI981A.tmp

outlook_win_path 1 IoCs

Processes:

MSI981A.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSI981A.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\Installer\MSI981A.tmp
"C:\Windows\Installer\MSI981A.tmp"
2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\Installer\MSI981A.tmp
"C:\Windows\Installer\MSI981A.tmp"
3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579703.rbs
Filesize
663B

MD5
e93f5fd5adf65e4bf272069b1f9bee1c

SHA1
be47a30bb0d371e9f4fe2e5f43c959c917c86dc9

SHA256
542c21a26418c8f6b2c4c8d5c67c729120e4b82bf915aea688a6d12ce1b39eaf

SHA512
9f0fe0bd8cadf234936825260fc0a0ad29bd1aeea653d6970f7d71fac265446b6efa474d33b52b2539951b0c057e1834dfa81fbeb79c287a11f468e4b8b1bfe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Windows\Installer\MSI981A.tmp
Filesize
891KB

MD5
e3f06e6c77dcf456ed90180f5119e060

SHA1
c858224a8f75f824d37428a490d5862e8ba37d22

SHA256
ab5eefc8c8cdb7158efbaccfeb8862c7ff9471346614d8c55de29f908ebe9639

SHA512
b65cb035b8a1cf80771d76a385f71da8f3d5edb2c4055d0732fc2ad74680af2c363b3229bca799b44825d4aeddcfacefe1cf12148e035a2aee4c71e5a41a5d2d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
580d6059fcc86b4681fa4167de51ff5c

SHA1
9af842d0e12796cf86ae5f808f4aff23d4f29226

SHA256
56010fb47fbd84bc62a717b80ff115d227b5ab9e01ffd8b71ef44de8367e8891

SHA512
548e99ab2e9a426cb413efa147e591dd22b7aa07e9b00b2da0100713e9574cc0fdbffa1650a6a1206ebdb919aa543ba5d18f0dea69af2fb17650937beea438b7

Download Submit
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{281a3dd6-aa20-48f7-abc5-e964bd963d92}_OnDiskSnapshotProp
Filesize
6KB

MD5
5510fc7702921f64fac7d924b9c1600c

SHA1
d4a769b78d02ccf093047a9edd7a97d74939a1fe

SHA256
7e63cab466beaadadf5fcf969a8d4e999a6aa09f37302dbb87a0da06447f4ff1

SHA512
945856e0a75bfe2ed9dfba2d902379cddd83b3f48f02ee1cedb36b9bb56c0661f968185b826efa5f299745f39fb264516a0d0dd6feb30f1d08628e4814921946

Download Submit
memory/3012-18-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-48-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-16-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-12-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads