General

  • Target

    2f2eb5112ada90c348de197913849cbb_JaffaCakes118

  • Size

    486KB

  • Sample

    240510-pz63wafc2z

  • MD5

    2f2eb5112ada90c348de197913849cbb

  • SHA1

    5df81b865362edaf60e711f4e4cef7012c57f9e2

  • SHA256

    17fdababc93ffe1f43cd5dd49d113ba0ee788e98542617bf0c13b328329215af

  • SHA512

    c77dd372416ce8f1fccc725d3d5cc45db69e0c1dce2b2f4cf78ef54f01020468d055eb26050d0bb5bc6f1a49ff20a8df3131ed6d23a87de864bc32417b91d1fd

  • SSDEEP

    12288:177BTZw1itFpG1XGK8kbviuUQw92ZOWi6lLeNxqP6qVZ:FtZ5t8W7kbviusEEKp/P6qVZ

Malware Config

Extracted

Family

lokibot

C2

http://alum-mit-edu.com/alum/mit/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      2f2eb5112ada90c348de197913849cbb_JaffaCakes118

    • Size

      486KB

    • MD5

      2f2eb5112ada90c348de197913849cbb

    • SHA1

      5df81b865362edaf60e711f4e4cef7012c57f9e2

    • SHA256

      17fdababc93ffe1f43cd5dd49d113ba0ee788e98542617bf0c13b328329215af

    • SHA512

      c77dd372416ce8f1fccc725d3d5cc45db69e0c1dce2b2f4cf78ef54f01020468d055eb26050d0bb5bc6f1a49ff20a8df3131ed6d23a87de864bc32417b91d1fd

    • SSDEEP

      12288:177BTZw1itFpG1XGK8kbviuUQw92ZOWi6lLeNxqP6qVZ:FtZ5t8W7kbviusEEKp/P6qVZ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks