lokibot | 9e931ddc070e0c5be9b565479a298449f8c38a686472774386d5a3a402b4eee6

General

Target

3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe
Size

386KB
MD5

3e68d38b9687d6d947711d1105076a1a
SHA1

f7b7e51adbd2ad3830b23ba1047b2ff06662ef3c
SHA256

9e931ddc070e0c5be9b565479a298449f8c38a686472774386d5a3a402b4eee6
SHA512

76cc87ccf6d6d8e2c56c4a778f17b1d3a3904714d4ac861f9b99e75eaf3c1191073a0ae3c2352e8b86cd2966ecb591082d87b7e64f577204f668c34a7360dd13
SSDEEP

3072:Wq9dGWohBHIQ9se3BhHI7+vFP28A7eq1PAJ74Icry78/w/PM4mMyJvPaZESu:YqQOkBlIwFP87TARcikH1v+Er

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/shalom/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe
2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe
Token: SeDebugPrivilege	2652	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2344	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2344	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2344	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2344	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	28
PID 2344 wrote to memory of 2904	2344	csc.exe	30
PID 2344 wrote to memory of 2904	2344	csc.exe	30
PID 2344 wrote to memory of 2904	2344	csc.exe	30
PID 2344 wrote to memory of 2904	2344	csc.exe	30
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2652	2696	3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e68d38b9687d6d947711d1105076a1a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xvln2de\5xvln2de.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A73.tmp" "c:\Users\Admin\AppData\Local\Temp\5xvln2de\CSCF17EA32815104501A93D7E79FED190ED.TMP"
    3⤵
    PID:2904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5xvln2de\5xvln2de.dll

Filesize
6KB

MD5
bedab553a7b79c4b5394bb0af74c8a1e

SHA1
fe583dd7947582dc6228255614dfc39eefdcb3da

SHA256
7e938ecbe2a01256538aa1b7a87f0c8b8cea5c4d1dacb724a70abcf62cd0c9e8

SHA512
30615d53243fb361029eb0fbd5cb0dae779f930da00d4c0ea1559b2fd984b4d15c8e51855d0b2c6eb9aed39724f1abf24320fc1cab4311f86dc4681b60f0ddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xvln2de\5xvln2de.pdb

Filesize
15KB

MD5
f157d551e37c96910b7d1abf81747c01

SHA1
a1ef7b242c220c0f458e4efe989abe180dea3b34

SHA256
78d9c1e1d9425c74826277c7e0328c56f7a73643712a6dbda6cffc2030b7d1f5

SHA512
320a14b18cbafa5163de97743bffa602a5e7c89fbd8a623ef798985fbf68d82d1efddbc9d55c73ded3d9ecaa7f982f37f6936646999e1eeecc1a205763dd100a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A73.tmp

Filesize
1KB

MD5
9e1ec7df25c2570f2e8bbceb4b9e46d8

SHA1
78ec628352918fbb9b39c06a700704d26764a2b1

SHA256
71bb8fa83d7531cacb2db4c13d8852bdb5fbd460214a3f859c085a7b79199d97

SHA512
dd4b8f8ae68d0b32227e88830ba015962d52461aa615ccfd95c53b3270420faff3dbec5ccb7ee7e73f88c1a39de7a71067c7d75c41e0e27aba3be369d24323f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xvln2de\5xvln2de.0.cs

Filesize
3KB

MD5
acd90e63e3c3dd828a38c35d4d04c217

SHA1
d2ad739301ed7a4e383a9088e30c90807aab1fdc

SHA256
566ac420eec1621de73618368b08d9063984723302bd455b86b60c82a5f359e8

SHA512
2b310b2c4f1059a936b679d3597de50eb87df2706a5575dfb92c6bf3a72cee246bb9d5de60fb9d4b90fb52378097f5703f9abed6fa5d407950472648b8977539

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xvln2de\5xvln2de.cmdline

Filesize
312B

MD5
32a16ef9bbd6d708476833a6878c71f2

SHA1
a89c59f9d874813fecc31b7775afaf529a12c7d8

SHA256
b7e619712d1cb584122e8ef0886808404adb541624fa508effdaee55251f4396

SHA512
0dfcff22d314ddf7452f6c327a98ecdd5979727966c0f8d92164fdbb7ba05be212281bd83a06dde81663353e4a6f71a001cf9879f8406f378cb972008db32807

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xvln2de\CSCF17EA32815104501A93D7E79FED190ED.TMP

Filesize
1KB

MD5
61064b5c7ea848a3f5a2a5d5421ea74a

SHA1
31446c389443891c9e66119c7c52afd59b63cf25

SHA256
aa48d27f215e66c7911a30f7666d3dabf2ee3404c9323e0462679452bd10f994

SHA512
a3d83a564b3ff5842b7a3787c4830ea1b3db0d6cfc6405d13bcd326644116241dad130583d9997f799fc1cd2c0cb0ee447d283e56a6f616b3c5fe982676463fc

Download Submit
memory/2652-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2652-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2696-22-0x0000000000AC0000-0x0000000000B62000-memory.dmp

Filesize
648KB

Download
memory/2696-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2696-3-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2696-36-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2696-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2696-20-0x0000000000A90000-0x0000000000ABA000-memory.dmp

Filesize
168KB

Download
memory/2696-2-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2696-1-0x0000000000FB0000-0x0000000000FE4000-memory.dmp

Filesize
208KB

Download
memory/2696-18-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing