lokibot | 107a9cdd607a1299c8bc7bd48b038fe65b8db63d6ab907cb0bbadabfb56380ba

General

Target

3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
Size

1020KB
MD5

3d45f52b9e27a0362ebb677fd499a64b
SHA1

79463be51ed767c9eee5be75ffba5d5dd8009249
SHA256

107a9cdd607a1299c8bc7bd48b038fe65b8db63d6ab907cb0bbadabfb56380ba
SHA512

8ec5275059a772744333ab1584581265c6b32890e1bc8431679643a0c91660a54bbd6095b537fb29aca4ed89dc0f30e9d882e6eb16da5c096fd12aff4973358a
SSDEEP

24576:6EVQ7nZFzpDEHSgMIk4mFUEZ4GOIft/1Qp9G:6EViRooF1bRl/y

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://paadasala.com.au/reg/home/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSI853E.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSI853E.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSI853E.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSI853E.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSI853E.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	MSI853E.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MSI853E.tmp

description pid process target process

PID 4944 set thread context of 4828 4944 MSI853E.tmp MSI853E.tmp

description	pid	process	target process
PID 4944 set thread context of 4828	4944	MSI853E.tmp	MSI853E.tmp

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI853E.tmp	msiexec.exe
File created	C:\Windows\Installer\e578405.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578405.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

MSI853E.tmpMSI853E.tmp

pid process

4944 MSI853E.tmp
4828 MSI853E.tmp

pid	process
4944	MSI853E.tmp
4828	MSI853E.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000072b368a908c284c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000072b368a90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090072b368a9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d72b368a9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000072b368a900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3128 msiexec.exe
3128 msiexec.exe

pid	process
3128	msiexec.exe
3128	msiexec.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exeMSI853E.tmp

description	pid	process
Token: SeShutdownPrivilege	3896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3896	msiexec.exe
Token: SeSecurityPrivilege	3128	msiexec.exe
Token: SeCreateTokenPrivilege	3896	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3896	msiexec.exe
Token: SeLockMemoryPrivilege	3896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3896	msiexec.exe
Token: SeMachineAccountPrivilege	3896	msiexec.exe
Token: SeTcbPrivilege	3896	msiexec.exe
Token: SeSecurityPrivilege	3896	msiexec.exe
Token: SeTakeOwnershipPrivilege	3896	msiexec.exe
Token: SeLoadDriverPrivilege	3896	msiexec.exe
Token: SeSystemProfilePrivilege	3896	msiexec.exe
Token: SeSystemtimePrivilege	3896	msiexec.exe
Token: SeProfSingleProcessPrivilege	3896	msiexec.exe
Token: SeIncBasePriorityPrivilege	3896	msiexec.exe
Token: SeCreatePagefilePrivilege	3896	msiexec.exe
Token: SeCreatePermanentPrivilege	3896	msiexec.exe
Token: SeBackupPrivilege	3896	msiexec.exe
Token: SeRestorePrivilege	3896	msiexec.exe
Token: SeShutdownPrivilege	3896	msiexec.exe
Token: SeDebugPrivilege	3896	msiexec.exe
Token: SeAuditPrivilege	3896	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3896	msiexec.exe
Token: SeChangeNotifyPrivilege	3896	msiexec.exe
Token: SeRemoteShutdownPrivilege	3896	msiexec.exe
Token: SeUndockPrivilege	3896	msiexec.exe
Token: SeSyncAgentPrivilege	3896	msiexec.exe
Token: SeEnableDelegationPrivilege	3896	msiexec.exe
Token: SeManageVolumePrivilege	3896	msiexec.exe
Token: SeImpersonatePrivilege	3896	msiexec.exe
Token: SeCreateGlobalPrivilege	3896	msiexec.exe
Token: SeBackupPrivilege	3656	vssvc.exe
Token: SeRestorePrivilege	3656	vssvc.exe
Token: SeAuditPrivilege	3656	vssvc.exe
Token: SeBackupPrivilege	3128	msiexec.exe
Token: SeRestorePrivilege	3128	msiexec.exe
Token: SeRestorePrivilege	3128	msiexec.exe
Token: SeTakeOwnershipPrivilege	3128	msiexec.exe
Token: SeRestorePrivilege	3128	msiexec.exe
Token: SeTakeOwnershipPrivilege	3128	msiexec.exe
Token: SeRestorePrivilege	3128	msiexec.exe
Token: SeTakeOwnershipPrivilege	3128	msiexec.exe
Token: SeBackupPrivilege	1624	srtasks.exe
Token: SeRestorePrivilege	1624	srtasks.exe
Token: SeSecurityPrivilege	1624	srtasks.exe
Token: SeTakeOwnershipPrivilege	1624	srtasks.exe
Token: SeBackupPrivilege	1624	srtasks.exe
Token: SeRestorePrivilege	1624	srtasks.exe
Token: SeSecurityPrivilege	1624	srtasks.exe
Token: SeTakeOwnershipPrivilege	1624	srtasks.exe
Token: SeRestorePrivilege	3128	msiexec.exe
Token: SeTakeOwnershipPrivilege	3128	msiexec.exe
Token: SeRestorePrivilege	3128	msiexec.exe
Token: SeTakeOwnershipPrivilege	3128	msiexec.exe
Token: SeDebugPrivilege	4828	MSI853E.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3896 msiexec.exe
3896 msiexec.exe

pid	process
3896	msiexec.exe
3896	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

msiexec.exeMSI853E.tmp

description	pid	process	target process
PID 3128 wrote to memory of 1624	3128	msiexec.exe	srtasks.exe
PID 3128 wrote to memory of 1624	3128	msiexec.exe	srtasks.exe
PID 3128 wrote to memory of 4944	3128	msiexec.exe	MSI853E.tmp
PID 3128 wrote to memory of 4944	3128	msiexec.exe	MSI853E.tmp
PID 3128 wrote to memory of 4944	3128	msiexec.exe	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp
PID 4944 wrote to memory of 4828	4944	MSI853E.tmp	MSI853E.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

MSI853E.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSI853E.tmp

outlook_win_path 1 IoCs

Processes:

MSI853E.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSI853E.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d45f52b9e27a0362ebb677fd499a64b_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3896

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\Installer\MSI853E.tmp
"C:\Windows\Installer\MSI853E.tmp"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\Installer\MSI853E.tmp
"C:\Windows\Installer\MSI853E.tmp"
3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578408.rbs
Filesize
663B

MD5
9f7ed9f25569119b6b9c85792aab61a4

SHA1
40ff3f0799e7bb7c181a119de923cec38fc92e10

SHA256
9afea0f03672ad8729c76b0addb9f9e1d64cc8ee5b0dfa9b138d3408e920d5c1

SHA512
a96e3a6722499778c02166d88e2812158ed1ef31907c4edf85f26d30937b0a09a8a0d28f4c4e7184a543d7c0cf81b36693e21dd86a08f68434f0d68795da482d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Windows\Installer\MSI853E.tmp
Filesize
994KB

MD5
8a1840737ac22e0d30ac8cefa8520885

SHA1
f79cb4602fa06c08a5631eda8a3164667565e28e

SHA256
b24d48dc6a7c84b3350e86214059294f188bb9835d99bc8c9821e8a9018872d0

SHA512
535321ab0c37c40a0d3192ec1e479064bfe9b74edccc8c8f304f8a9d663a13614ecf2eac3fe359c33c8294a4166ada6243603543b78ee53b0461eea2c6a2f913

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
7652e40fdf88a85dcc875934309bdec1

SHA1
c608c23173ca31d71d2990f324fc44cd4a2f2e16

SHA256
afab1ed4b0563e16b6b4666ceac102de4a361d9943455ffe510ea98669ce2d6e

SHA512
ca3e7c3baa2dae75ec1d05656098281c0d4989a088e584914b1e3de4ecc41b82aecaad3770e4a80d4717768a5c3236c56b65a7af431e7ea2e5a16c5f8b604ce7

Download Submit
\??\Volume{a968b372-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{93a5a9a3-0bd3-4a78-8bc7-9190a7d1038a}_OnDiskSnapshotProp
Filesize
6KB

MD5
f10e941fb38ce26f5e263ff3d1bb777d

SHA1
beec9e77cd4d2ef04498c17d529019cf78323afa

SHA256
3c862c5dd802c7ce20292a3663fc8a2deb34dcfbca37fbd43a53d8c8881edd55

SHA512
3e1ad2edd69155dc9cca9d457ec046498ced9d324921e4a30e49085b1ea3a29be26e5330b911b321f6bdb2e3ded8819aab30a664f41bb0d103deaf9c633a0dc6

Download Submit
memory/4828-19-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4828-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4828-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4944-13-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4944-24-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4944-18-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4944-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4944-14-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4944-15-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads