Overview

overview

10

Static

static

3

342335fb77...18.exe

windows7-x64

10

342335fb77...18.exe

windows10-2004-x64

10

$APPDATA/y...ub.exe

windows7-x64

1

$APPDATA/y...ub.exe

windows10-2004-x64

1

$APPDATA/y...ui.dll

windows7-x64

1

$APPDATA/y...ui.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$TEMP/Moustache.dll

windows7-x64

10

$TEMP/Moustache.dll

windows10-2004-x64

10

$TEMP/go/2...60.dll

windows7-x64

1

$TEMP/go/2...60.dll

windows10-2004-x64

1

$TEMP/go/3...60.dll

windows7-x64

1

$TEMP/go/3...60.dll

windows10-2004-x64

1

$TEMP/go/pidgen.dll

windows7-x64

1

$TEMP/go/pidgen.dll

windows10-2004-x64

3

$TEMP/uninst.exe

windows7-x64

7

$TEMP/uninst.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    342335fb7740901c4a3942210b062673_JaffaCakes118

  • Size

    306KB

  • Sample

    240511-mlys8sfe53

  • MD5

    342335fb7740901c4a3942210b062673

  • SHA1

    205f344242dfc290679084bd506da694ece4621e

  • SHA256

    aa870e1218a74e244dbe047277a2037c22c4460cb5ebfc5d12267950121bad6f

  • SHA512

    dab313c3156eb1d8e4ee9a8294dea688db057e245bb900a9b3229150853cee456975caf0dc1eb979140bbb7c2b7c8f0d10c3b26bc229faed051cfa8d000ee563

  • SSDEEP

    6144:JPCganNGXkF3IrR5psdnQKCvlrzSNfZyUL+oxNR0eZ7wuRzv7H:HanoUFYFgQKUx+fsUL+oxNR0eVdRTL

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://remzclot.ga/etc/main/l09/harl/mode.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      342335fb7740901c4a3942210b062673_JaffaCakes118

    • Size

      306KB

    • MD5

      342335fb7740901c4a3942210b062673

    • SHA1

      205f344242dfc290679084bd506da694ece4621e

    • SHA256

      aa870e1218a74e244dbe047277a2037c22c4460cb5ebfc5d12267950121bad6f

    • SHA512

      dab313c3156eb1d8e4ee9a8294dea688db057e245bb900a9b3229150853cee456975caf0dc1eb979140bbb7c2b7c8f0d10c3b26bc229faed051cfa8d000ee563

    • SSDEEP

      6144:JPCganNGXkF3IrR5psdnQKCvlrzSNfZyUL+oxNR0eZ7wuRzv7H:HanoUFYFgQKUx+fsUL+oxNR0eVdRTL

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral1behavioral2

    • Target

      $APPDATA/yonetici/agent/ht/ZipExeStub.exe

    • Size

      26KB

    • MD5

      69aa866258d8c730bf1feffeabe57fa5

    • SHA1

      b4a895c279b6900e60cb5e90cdd5a6e9b79828af

    • SHA256

      0e1d1b6545d1162c755e0b22c97dfd337dfc64fb8791704a93c84d448b44511f

    • SHA512

      faf62cd96aacf1a94d4e893e4ecad9f494ecc61f548f0b955f3f47405696c6b1ccaac4a3b57dd9a56cbf0db81b64a36c55fce31a983a26be5a66d41c9b1ed5a1

    • SSDEEP

      384:BsJQbkxQ7ECMcxIHe7g6ihJSxUCR1rgCPKabK2t0X5P7DZ+uelWLwWfLCcMe/oTC:BsJQb9Mcxqe7FRJBOtL3d/o+

    Score
    1/10
    behavioral3behavioral4

    • Target

      $APPDATA/yonetici/agent/ht/vcdeployui.dll

    • Size

      10KB

    • MD5

      86e8573da0da08bc5801eeb05722b900

    • SHA1

      9df15367a068e8f16bea5b098c1bc5ab0fe8f816

    • SHA256

      116d2a7b1c04779dc774f9012dff83f01cc4905bfce0e745c1e6f1b469b445a2

    • SHA512

      bcb449de7aac0e68802868948344f57d7113eb16209ac8d2b5fd68f387c21998748763e34bc15cfb2ea3d9b09df4379eeac9b7651064a633d09d2ae6befaa724

    • SSDEEP

      96:yOKkWxHSIWPpJG4yQMsn+WT74+olgDS8zlzcWmzIBTCT5o4nzkInvzUiPjP7TPmP:hWxyIWRIx+4+Yu7RS/I1vIQG

    Score
    1/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      1f56d9c34643cc8033ec8e628df11cfb

    • SHA1

      1231b571a298c16a1f618799fc7d20b72ccb2747

    • SHA256

      c1593d641b89c8cf294ce4efeaea5d0a69b095f04947ecdabbef73d3225d3480

    • SHA512

      a0c80e6f5c4aa6f34b601951033b709944d3522a6faefad11d9d8f1b4398d379d4e5618029c8134204f344e8a71bfff4e19c2d6693f2119ffd05e67dd9148d24

    • SSDEEP

      96:8eU0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqkfnLiEQjJ3KxkP:tGBfjbUA/85q3wEh8uLm2LpmP

    Score
    1/10
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0063d48afe5a0cdc02833145667b6641

    • SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

    • SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

    • SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • SSDEEP

      192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4

    Score
    3/10
    behavioral10behavioral9

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      6e64e5d5f9498058a300b26b8741d9d5

    • SHA1

      837ce28e5e02788da63a7f1d8f20207d2b0bf523

    • SHA256

      8d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33

    • SHA512

      f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e

    • SSDEEP

      96:oWW4JlD3c151V1gQoE8cxM2DjDf3GEst+Nt+jvcx4P8qndYv0PLE:oWp3ggQF8REskpx8dO0PLE

    Score
    3/10
    behavioral11behavioral12

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      293165db1e46070410b4209519e67494

    • SHA1

      777b96a4f74b6c34d43a4e7c7e656757d1c97f01

    • SHA256

      49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

    • SHA512

      97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

    • SSDEEP

      96:4BNbUVOFvfcxEAxxxJzxLp+eELeoMEskzYzeHd0+uoyVeNSsX4:EUVOFvf9ABJFHE+FkEad0PLVeN

    Score
    3/10
    behavioral13behavioral14

    • Target

      $TEMP/Moustache.dll

    • Size

      41KB

    • MD5

      5e68491fc9296f4067d397093f25e8f4

    • SHA1

      0447a8247227fc3a12c7b9cd24cf5717f6ea8ec0

    • SHA256

      47b284c8cea5f056b17bed41e272d0d61d70a169d3366a53104435bb393c1e89

    • SHA512

      4a4d6f5c81f0f161e4d70fe221192f665084e1625ba35aa052a81c6c06c706d29c920066289b948998fecd8863d799f3d33be5f850e416d47bf6be0683215b7e

    • SSDEEP

      768:3wmqf3FVwBf7uQpwukQRhsOaGnTEDE3vyS12wfpVDt4t:3wFTwBju3LQvNSS1rfpTw

    Score
    10/10
    lokibotspywarestealertrojancollection

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral15behavioral16

    • Target

      $TEMP/go/25.opends60.dll

    • Size

      44B

    • MD5

      09537416318f379396bddbc18046de39

    • SHA1

      dc6111549ff49afa587425603cc0c545b034b988

    • SHA256

      b407fe7ddcc7303ef167873a6498e8ebd771e9b4b432ad0a458a029574ca6afd

    • SHA512

      20b9ab08d3e940d687404436e2d6c8b4c1a9121987382c6253d7d93fc2b556fb8780742af08d8b73e4d50ea9b23d2e62298669650df60ed38e6f23c5c0155619

    Score
    1/10
    behavioral17behavioral18

    • Target

      $TEMP/go/35.opends60.dll

    • Size

      57B

    • MD5

      b330e04d27f2b76246c9401bb9df8405

    • SHA1

      fea5928cf1704d14ee717bb703c65aedfb194751

    • SHA256

      99e399e564c46308a2ec22a427f5338433a820c09ff559c8f6488be9199ed1ad

    • SHA512

      b07555fa3fb5e11e91583c28922f5a59f09e0cc8244b3bc5e62cfc231cd4a4da080f0653d404ca9a8ab332f61e393ed17235858e84dca0578f8ae51e9b5f30a9

    Score
    1/10
    behavioral19behavioral20

    • Target

      $TEMP/go/pidgen.dll

    • Size

      39KB

    • MD5

      d6daa21229600584d00093df481c921f

    • SHA1

      a0848216ed5ddf3945938de79c746ce7424c30aa

    • SHA256

      888f6c10d62ba7470fb457f054769e24a35edb86a3144214113b5a6472b0332f

    • SHA512

      d0cd6370ee5bb8daad4f07a63bb16554a723ee0959bff447b0b67c41bb3f32404d1ba2eb219679498a55ea63204584f5c2fb2ae466c3d0654fa0e118069b06fa

    • SSDEEP

      768:WGDpZQyMVVIDR4fUB+9RtYknN5EQmlCHhrBPsx1H9xllMGCacV:WGDn4KDOMET97ax1rcV

    Score
    3/10
    behavioral21behavioral22

    • Target

      $TEMP/uninst.exe

    • Size

      50KB

    • MD5

      e98ac0b9c5264d56d7a69dbf4fb82f28

    • SHA1

      3ffadf822494ba1b63bd10872dc4ee5dc80e18b4

    • SHA256

      6b85e8131032b744d7ff79cf934309a5bb79f527db50d58fd70ccdd4379c683f

    • SHA512

      94edb6485ece8890124f612b71db83a0287e306e2796a537a25cb4df5c3fdcd3b56f1a5afb11c877a5825793572ebb1728323e7c20c629dff6c73784287f17d9

    • SSDEEP

      1536:AsHllqRxeiMfvHSlzchN0MF0DBwwcZgdLeAyN/SDR:JPqRxga51PDBfcZceARN

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral23behavioral24

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

4
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks