lokibot | 0eb1aa5fbc307739f1ec0683b1cd2f445df7504ba12cda54db822616c9c883c1

General

Target

2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe
Size

748KB
MD5

2ef82df57eeeadb36413914c8a96f8e4
SHA1

69e9927291967dc0d705b5dd397bfd56d9e1dea9
SHA256

0eb1aa5fbc307739f1ec0683b1cd2f445df7504ba12cda54db822616c9c883c1
SHA512

d507e9f0387b3a6d2d135499faba5910c9c39d32f810fa9a6acf929ee42b68c56576a7bb21955e90e64703c40287d54d484fa9e7a6890cc3c6c23fb6a4c6aebd
SSDEEP

12288:ByuCH24yFa+UQfvAMQxfQL/hE0cki2EFf9hd+8hSlZuv1n8l2/Pz02a+aBe1Ra:UPqlX7QxIzW0vS1+qBv2lmbja

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://89.34.237.212/annonymous/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

app.exeapp.exe

pid process

1260 app.exe
3464 app.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1260	app.exe
3464	app.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

app.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	app.exe
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	app.exe
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	app.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

app.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\78y6t4ref6g7h867gfede = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\app.exe -boot"	app.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 1260 set thread context of 3464 1260 app.exe app.exe

description	pid	process	target process
PID 1260 set thread context of 3464	1260	app.exe	app.exe

Drops file in Windows directory 4 IoCs

Processes:

app.exe2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	app.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exeapp.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	5092	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe
Token: SeDebugPrivilege	1260	app.exe
Token: SeDebugPrivilege	3464	app.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exeexplorer.exeapp.exe

description	pid	process	target process
PID 5092 wrote to memory of 3468	5092	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe	explorer.exe
PID 5092 wrote to memory of 3468	5092	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe	explorer.exe
PID 5092 wrote to memory of 3468	5092	2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe	explorer.exe
PID 4848 wrote to memory of 1260	4848	explorer.exe	app.exe
PID 4848 wrote to memory of 1260	4848	explorer.exe	app.exe
PID 4848 wrote to memory of 1260	4848	explorer.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe
PID 1260 wrote to memory of 3464	1260	app.exe	app.exe

outlook_office_path 1 IoCs

Processes:

app.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	app.exe

outlook_win_path 1 IoCs

Processes:

app.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	app.exe

C:\Users\Admin\AppData\Local\Temp\2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ef82df57eeeadb36413914c8a96f8e4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
  2⤵
  PID:3468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe

Filesize
748KB

MD5
2ef82df57eeeadb36413914c8a96f8e4

SHA1
69e9927291967dc0d705b5dd397bfd56d9e1dea9

SHA256
0eb1aa5fbc307739f1ec0683b1cd2f445df7504ba12cda54db822616c9c883c1

SHA512
d507e9f0387b3a6d2d135499faba5910c9c39d32f810fa9a6acf929ee42b68c56576a7bb21955e90e64703c40287d54d484fa9e7a6890cc3c6c23fb6a4c6aebd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
478B

MD5
4d5f4a9f0620b7a353524ce2522ccdad

SHA1
5d4b64b2b84cb45851f7751bd1c1162ec2a3e91f

SHA256
fa57fb35373311fc29ddd4b53e9a92c9a30bf5c016fdad7d5449607cee6adcb3

SHA512
8ddebfc5e544a1a3329e11b52996d24636253565c5f874452df9fee55f8cc4c020ff8f4059b676b3cddaf58d2493fc8610518dc1e3c0870a15041200075d1fb8

Download Submit
memory/3464-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3464-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3464-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5092-0-0x00007FFE95150000-0x00007FFE95345000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads