Overview

overview

10

Static

static

10

Loki 1.8/B...me.exe

windows7-x64

10

Loki 1.8/B...me.exe

windows10-2004-x64

10

Loki 1.8/C...V2.dll

windows7-x64

1

Loki 1.8/C...V2.dll

windows10-2004-x64

1

Loki 1.8/L...al.exe

windows7-x64

1

Loki 1.8/L...al.exe

windows10-2004-x64

1

Loki 1.8/M...UI.dll

windows7-x64

1

Loki 1.8/M...UI.dll

windows10-2004-x64

1

Loki 1.8/N...ty.dll

windows7-x64

1

Loki 1.8/N...ty.dll

windows10-2004-x64

1

Panel/five...ss.ps1

windows7-x64

3

Panel/five...ss.ps1

windows10-2004-x64

3

Panel/five...ss.ps1

windows7-x64

3

Panel/five...ss.ps1

windows10-2004-x64

3

Panel/five...ass.js

windows7-x64

3

Panel/five...ass.js

windows10-2004-x64

3

Panel/five...ass.js

windows7-x64

3

Panel/five...ass.js

windows10-2004-x64

3

Panel/five...ass.js

windows7-x64

3

Panel/five...ass.js

windows10-2004-x64

3

Panel/five...ass.js

windows7-x64

3

Panel/five...ass.js

windows10-2004-x64

3

Panel/five...ss.ps1

windows7-x64

3

Panel/five...ss.ps1

windows10-2004-x64

3

Panel/five...ss.ps1

windows7-x64

3

Panel/five...ss.ps1

windows10-2004-x64

3

Panel/five...ass.js

windows7-x64

3

Panel/five...ass.js

windows10-2004-x64

3

Panel/five...ass.js

windows7-x64

3

Panel/five...ass.js

windows10-2004-x64

3

Panel/five...ss.ps1

windows7-x64

3

Panel/five...ss.ps1

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41b1711730c7ae3e9601df4422ab2594_JaffaCakes118

  • Size

    6.0MB

  • Sample

    240514-qxyt6ahf56

  • MD5

    41b1711730c7ae3e9601df4422ab2594

  • SHA1

    818d149bee398f7f3b6681529cfb91ebee7bd314

  • SHA256

    6c11b5f1e85a276e82e0fcf65049fbd52406173aaec631cd8996f1fac18a0c36

  • SHA512

    7f1d4a919bac1c53d3f17ad1f0835ad15c07b03541d392b44582647cad5f4127d1d127e871ecdb3a2e7c27e7fb3843f924ba21078eff878c1d312e22b395c367

  • SSDEEP

    98304:KC21uSadgtPtKQlMCLTlQiKXtjBr2mHCJajyp8SnoXsC3U/iW7:KFT51L8tXCC98Em/iW7

Score
10/10
lokibotnjratevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

lokibot

C2

http://fakeme.us/Panel/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Loki 1.8/Builder_Lifetime.exe

    • Size

      367KB

    • MD5

      5e85824cf5ae53b0e46afaacb011732b

    • SHA1

      baa3b6b8bdd489cc4121688bbbafdffdce0da4f1

    • SHA256

      f0e0aaaee50fa1bceb57e92777fbb8696514ea99a755214d2b49255d3f7538ed

    • SHA512

      f55bbc8a4ecbedb8ebce746ad3d49de7703ce707f627e2ceba349d5f4414cc160be59be75d3a345109e9bf93c0ce1859eb5d21c010c5b7236d163500dd58ea9e

    • SSDEEP

      6144:OeQybLGW2q0GZekNrSrSD9RBDbPkeVX6TuWkob3vHBRZ8wa7:mybLGDy3JBzDJXHWkoD/Zh2

    Score
    10/10
    njratevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      Loki 1.8/CookComputing.XmlRpcV2.dll

    • Size

      120KB

    • MD5

      537de6ee0a72601be1e1e452a3010954

    • SHA1

      91f87bc5cc88249811dfcd130ccc2ca907eee2d3

    • SHA256

      5826818bb43d41f6bc08722f036f3f9402dd53b6e6d6356caa5192fadf278451

    • SHA512

      55eba8ba9d51bf5be2f8b40b68b0d162b6f1dfcc692d11e886a17d325fdb07c47965bd9fe590caafcf2a885f4b667b1e1a99a7467c5fc7ed45d214813fe91129

    • SSDEEP

      3072:nYroBKFuiSfBStfhXjCjjETsm1cGvyN0rtmfeJyLG3CE2F+46tD1C2Eo:nwSfBStWnGvsPfeJyLGGKD1C2E

    Score
    1/10
    behavioral3behavioral4

    • Target

      Loki 1.8/Loki_original.exe

    • Size

      294KB

    • MD5

      5455364b437d431400267a9092d65442

    • SHA1

      e34ddbf5ba33ffff8beca910cb17237553f4bfd1

    • SHA256

      3ed5d687a46e865424395d3dd455f69c82ac0b22fa24f361db6e87e7aa5019bd

    • SHA512

      a00fcf59f67062b112139b0ecdb9a65b9e80b63f90a0dcccc088100e65086e91d1cf704e1e48ef6093e5dcbcb996c00d242792fef7aafe220bacf453251f9f0a

    • SSDEEP

      3072:wRb49OzAYn3a5O1mgxbnRQW1FkvHjhUfTEsS1yxrxzAycsFQ2D:wb49lQ1mgxbnRQW1FkvAeQxrxzDBp

    Score
    1/10
    behavioral5behavioral6

    • Target

      Loki 1.8/MRG.Controls.UI.dll

    • Size

      11KB

    • MD5

      f3ef809f9235900c0b086e1d22891321

    • SHA1

      0251416274a1934d9461906e878858dec6be1a76

    • SHA256

      7e27f1b12fe021a61fcbc5b349c75d49f0a41d6ea2556799d15948ce255c57fc

    • SHA512

      5bcb9815c4a11583994168d704638b92f67313f36028bbd199c167fce2ecff16a98f3f0649d977b0784a45653ab0e4d22022ea24bfdbb46ac93693e3e7590311

    • SSDEEP

      192:jKav8vl059O9z6b16UDauuuuuuUnGh4A7uf65I5BLZBGnn15sXQJ2NpQX:WapPcz6QruuuuuuUW4DC5I5BL7amQJ26

    Score
    1/10
    behavioral7behavioral8

    • Target

      Loki 1.8/NReadability.dll

    • Size

      41KB

    • MD5

      008fe03cbe1da5d1c39706d34fc8a85f

    • SHA1

      87a8a21802c2cabcfe0bfad3f28eca6ac7a3f09c

    • SHA256

      c057c61e1871252c98d4482fcd4a55713db2427d92dabf2d0e006bf948d0569f

    • SHA512

      deb3494f34f9a0b3725ecf188ba19b28cb4d91185fe729b17d2140a19a9886f7e3ebeb1c74f8361adf65183c9cd7e1d770bc1a96d29bf81a3ea4c096ec695995

    • SSDEEP

      768:aNTjuakP4LpHPvt3j+ahgZs/5wLEyCQ7G8Axuzdp2wT2+IyP6jsl6r2r5n:ad7kP4LpHXPSZ7LEFQ7G8Axuzj2wT2+V

    Score
    1/10
    behavioral10behavioral9

    • Target

      Panel/five/inc/class/misc.class.php

    • Size

      66KB

    • MD5

      619cd2ce2df8764750e66b4989c55ba8

    • SHA1

      26ebf1af647c6a28f70b73e0263fd10da861b6f2

    • SHA256

      b7d5548cbe65f4a3533708ad64309a4466022a9ce592bcf4cb42bd7d6dfe4c8e

    • SHA512

      2e323b7a930065da53e19eb32911533733a3085700f5c3ec47448abc6e53f19f988d258c5ed8cf70d71eb7d3f795ceb4e8629cd635a2a3e07a9abaf5f3b93aac

    • SSDEEP

      1536:Cwv+CpQQSfEv/CLCQecYeReGT6uNU51FXNtiLanesKY1K5Ue/iasa:CK+1T6qLcesKY1K5Psa

    Score
    3/10
    execution
    behavioral11behavioral12

    • Target

      Panel/five/inc/class/mysqli.class.php

    • Size

      76KB

    • MD5

      ee9dbe92dd08c8f3a082ab46103ef4f8

    • SHA1

      cd9beb16a8ceb9403101d77c5c596c657074ff83

    • SHA256

      5eb284f8432c5f442de9bdd5e41ed303aa53f47d5e0da5b8d67e957bbbcacac6

    • SHA512

      93e80b1da8b7f98a431c947bd435fc7f60b5e50a0af2ae9df1ecbd60f1d8ea0a709138cd40bca2ed6157f3a5d6e0ac3a29e358051ba37373315aa6ffc3e52638

    • SSDEEP

      1536:kHgMcfeNcsDDkdnn5ssfTSxs51LsDZVrWD:pfeNct

    Score
    3/10
    execution
    behavioral13behavioral14

    • Target

      Panel/five/inc/class/pCharts/class/pBarcode128.class.php

    • Size

      6KB

    • MD5

      a9fc8013bd8f51789fb657199b502637

    • SHA1

      7e862deba68e60a997f42e2e1c757ba2e90d1b9b

    • SHA256

      070c18ed48a10fa0a26482426ccc20f494dbbb79b0ca6d8b70ffb2685947ba8f

    • SHA512

      078652a07045e226541e411ce67a478f570f29b4a9fc3b234f58c16cf29e31c35ac9b12c9859530c4fab89aa8a9fe1d36cb4c7b48a55cbb79b92718903c27a61

    • SSDEEP

      96:MoB3gDYR4btt/uGPyDWIesaS7f3HddPsoEXAkM:MoB3eYRyEGPyDWHsaS7tOoEXAkM

    Score
    3/10
    execution
    behavioral15behavioral16

    • Target

      Panel/five/inc/class/pCharts/class/pBarcode39.class.php

    • Size

      7KB

    • MD5

      ff78588d44eece5ad0436581257b9e9f

    • SHA1

      810e27278870cb260bef6d9b7794f56cbfde54b3

    • SHA256

      7d82743e15cf0d6de4412fc116c4fe1ce932c0116ca2a10f46962b1ed33735a2

    • SHA512

      f7f0cf43116cc7f28159f2c8315967dcf003f9fa5f88a01b4d44c080ccdd77336c9f5bb7d4e54333abe9e981000e5655b9eed4d6588415db1c2caef75505740c

    • SSDEEP

      96:eoB3gDYaWiATbK1/7IQri2vZO9zwfcS7+HddPsoEzzXAkM:eoB3eYZiACtI+i2RO9zWcSIOoEHXAkM

    Score
    3/10
    execution
    behavioral17behavioral18

    • Target

      Panel/five/inc/class/pCharts/class/pBubble.class.php

    • Size

      14KB

    • MD5

      e297812e01d2338df95c40a74bf3699e

    • SHA1

      09c88abe3d5b789d7668b3dd05d62b701273a9d6

    • SHA256

      bde928ec2a3d04012a2a5aa652b9f9b0f9dc70c8d0789f70fca2917f519b88f4

    • SHA512

      3d8acc03675f933f068b6554a87d56c326f6bd1b60a9167e38ad424982b7d971b8bb639d71a0da5f405002844582b04196d0fe370b7a17be46c7f7a5465a7f60

    • SSDEEP

      96:toB3gDTXYQO49Wy65dra3Xte7WxvjauVZsmfes0IUWlnb5y8bkzxy8br8p77pvK0:toB3eTXYQO49Wx5dW3XiWJsS08pyhE

    Score
    3/10
    execution
    behavioral19behavioral20

    • Target

      Panel/five/inc/class/pCharts/class/pCache.class.php

    • Size

      8KB

    • MD5

      718b4ca4d55c403332a3477a10161789

    • SHA1

      97d6cef62fe9e14f9a871648953ee2bc2538e45c

    • SHA256

      d7d4f3dbaf3a39ee73056cd1c9690ebeb3370528f720e0de145db78c211856ec

    • SHA512

      fb0aee797f7c1b6b02390a35ea673abd0406bed44454e4ab8bd38dc7ad176db5155cdb2b058df3894edc7468f5dfb93494e042546e236fa06a2ce7ab52052f5c

    • SSDEEP

      192:VoB3eY60PKKfm2q5HNZVo/vQG0lJeMjDK5Fvjy7:6O8CFTiEGjy7

    Score
    3/10
    execution
    behavioral21behavioral22

    • Target

      Panel/five/inc/class/pCharts/class/pData.class.php

    • Size

      30KB

    • MD5

      5f125e49f5fb06094f12aa27dbfa31ed

    • SHA1

      aff84d0e69f85c91705208029bf88dd8b4d5cacd

    • SHA256

      f705add7a7e20a5603b432d97a80170a9d31dc4de449a6a0ce014b4169582b1b

    • SHA512

      0b4c073ffbcf8e4c7932c121bde44698656b0ab19dac98692f2e83470510a1829d09eee6418e47237cac115bed25f8d319525f13ad7a2e4fc7876016a3d3c6b8

    • SSDEEP

      384:PO7Ex4JPAMRdTXm9KbSX5hyxUgMsS6sz8n8pwvQJxISbcV5s3NA:SExmnzm9KbK58Ojsoz8n8psIISbh2

    Score
    3/10
    execution
    behavioral23behavioral24

    • Target

      Panel/five/inc/class/pCharts/class/pDraw.class.php

    • Size

      319KB

    • MD5

      0b9bbffe4c457652343862347e1357ef

    • SHA1

      23d4591b018f5d133ecdff92e387877b0845b432

    • SHA256

      97201d530c4745751246ed4639cf24e3342ce0a4a3de885b2e969e1cdc1bf3db

    • SHA512

      20cd48f0119681a925950eb5771cb884eb5a8e980d8e931df130320febd99724cb66e0c4f5cbd6a2f7e1ee190a7f505a5a5426e0831daae6d817b1bbdfa9a149

    • SSDEEP

      1536:PkqjoqKdH5Isz01Dx0MBDK5BgJctv5VqFhuQAqoXkbETmuDodIE0XX3nz:EmF4QAqhbETmuDoOE0XX3nz

    Score
    3/10
    execution
    behavioral25behavioral26

    • Target

      Panel/five/inc/class/pCharts/class/pImage.class.php

    • Size

      19KB

    • MD5

      de8a9c64df37a59ca0d4932414c817de

    • SHA1

      429b0b9dcc9e3843976dcb14c16e45a874208309

    • SHA256

      40a1105c0b71544cc8352fefacf982252d0cbf68c7b2ce57ac010cf152537028

    • SHA512

      952dd9538fdbf743a726b57772bc64c51c5ef158328f2f638d12fc6a79cd87c748f858637c7950618437aabc3164e535bf32b5604fcd1e0f225b19c84754f1c1

    • SSDEEP

      192:goB3enohsCfN2o7auOmPhTRzTePSmjfqmfLCEm1ty297z2yr36zhaa4aY665ppLP:lOoFAmPhTRzZmTCFZJfFAu

    Score
    3/10
    execution
    behavioral27behavioral28

    • Target

      Panel/five/inc/class/pCharts/class/pIndicator.class.php

    • Size

      11KB

    • MD5

      4ac9195a473ab04729bb513852bc1bc7

    • SHA1

      af605e8882ce5ec6b41b3902b75414fdf4e54257

    • SHA256

      03db301cb33d99a591f32ac3050b24b360434759c4cf6ea835612e4516bef920

    • SHA512

      d7c3e887f0e467fe72c155be1dab637fb9d368ef08cd6d36857bb0185a1f1d2792643df791b8209b2325d8c27dd6e1a78ed8531f3a6e0996156b95101747832e

    • SSDEEP

      192:tjoB3eGZNS+1uFIgn1QKAlOpFCpK7TWOe:6OQ4ntpopBj

    Score
    3/10
    execution
    behavioral29behavioral30

    • Target

      Panel/five/inc/class/pCharts/class/pPie.class.php

    • Size

      65KB

    • MD5

      4a8df9c68451a7846fbbfb5213c450d8

    • SHA1

      768de54634a27f2899887630427aea84bdd87bfc

    • SHA256

      a84369ce6edeaef275e6973227e6212df23234e9c4649e73354b9b247559a13d

    • SHA512

      ecf9a4d38dd3c18db9b48e872a5289fea5d648bd53a335322cac2015a57083d3e2fdd4213c197904cbf0af61a160a58d0317c7f72a03e93dc7d5257870fab9b3

    • SSDEEP

      1536:QQaY0UNjLGv8S6STShvmv1jSXSNBOBVSTSBvmvGO+vUSsk6V:owO7

    Score
    3/10
    execution
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

11
T1059

PowerShell

5
T1059.001

JavaScript

6
T1059.007

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

lokibot
Score
10/10

behavioral1

njratevasionpersistencetrojan
Score
10/10

behavioral2

njratevasionpersistencetrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

execution
Score
3/10

behavioral12

execution
Score
3/10

behavioral13

execution
Score
3/10

behavioral14

execution
Score
3/10

behavioral15

execution
Score
3/10

behavioral16

execution
Score
3/10

behavioral17

execution
Score
3/10

behavioral18

execution
Score
3/10

behavioral19

execution
Score
3/10

behavioral20

execution
Score
3/10

behavioral21

execution
Score
3/10

behavioral22

execution
Score
3/10

behavioral23

execution
Score
3/10

behavioral24

execution
Score
3/10

behavioral25

execution
Score
3/10

behavioral26

execution
Score
3/10

behavioral27

execution
Score
3/10

behavioral28

execution
Score
3/10

behavioral29

execution
Score
3/10

behavioral30

execution
Score
3/10

behavioral31

execution
Score
3/10

behavioral32

execution
Score
3/10