lokibot | d6bd09cadd7a09d19d66293a896e2ed1d3d9a05968082061e3a9923fa08bb03f

General

Target

48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe
Size

390KB
MD5

48321b3ae7cef1a9ac6332d20307fbca
SHA1

3c1f8e0ea31b8612b1a63fd7441062c0f7d54651
SHA256

d6bd09cadd7a09d19d66293a896e2ed1d3d9a05968082061e3a9923fa08bb03f
SHA512

dc4bb367be32c3e641019607ad2318978440286af46aa6c35329d81328c6fb1794ede0ee324f91cce93ee74b653b71af557654238a3adb9f506e33d72ad30298
SSDEEP

6144:7Plxh9hrTKx6/QlIU5fNQlYegHrSnSPrbjRbDboVf17fzzH+M:pobhUPnf

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://kersterus.gq/wp-content/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe
5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe
Token: SeDebugPrivilege	868	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3876	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	83
PID 5060 wrote to memory of 3876	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	83
PID 5060 wrote to memory of 3876	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	83
PID 3876 wrote to memory of 232	3876	csc.exe	85
PID 3876 wrote to memory of 232	3876	csc.exe	85
PID 3876 wrote to memory of 232	3876	csc.exe	85
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87
PID 5060 wrote to memory of 868	5060	48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48321b3ae7cef1a9ac6332d20307fbca_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2qyx1pp1\2qyx1pp1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AC7.tmp" "c:\Users\Admin\AppData\Local\Temp\2qyx1pp1\CSC3F931B3217824571A4B2B825A2304CD.TMP"
    3⤵
    PID:232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2qyx1pp1\2qyx1pp1.dll

Filesize
6KB

MD5
3305b894346750efbf8e59509ad9ad50

SHA1
38ab47b2e391c27466b00a7c299210257b9589b1

SHA256
0f31e723e8cf45231abf42e401f3e9cefe127c4cae765a61e78084640d774c30

SHA512
f41b20c60e2b68bdf8b597254341ee92f37710a2124683e65d39ee4a612389a2894a46c00b954567a4efe80cffb933d6a06e5fbc22beae80d864f4b11127576c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qyx1pp1\2qyx1pp1.pdb

Filesize
19KB

MD5
f755a61fb2750832e7e9ba67842f58ac

SHA1
250e073544356bd9a043392a4d4033f4bb8fbf22

SHA256
4890267f4be9466bcf5bba5e57d2ca641af3bb1ce4a46ebaf51f640604649880

SHA512
7e9211e5a3d6a01f2d885cd567b3126c10aa73b98f43e01b44224a23bc44c94300117cd270370de6063fbf13691809a3d19855b92906d894c434b8dbca8dfd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AC7.tmp

Filesize
1KB

MD5
2640f1a2fd208755a893bb00bf573a38

SHA1
3dd101b45b2d4a0e460ae17e6d4595e696083c34

SHA256
cafe388c289e75d2b51eaf6f09df68cfc799be1e191839061205ae56ea40bf57

SHA512
19b6d6fdeeb1e3c8535fb0efe498818f94f3d51012270cbd9d029724cee2d1d5df21025df85691c23f54e403ca23437b946c61ea3209f76fa83b61fef9062f28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3558294865-3673844354-2255444939-1000\0f5007522459c86e95ffcc62f32308f1_39fbc0df-d496-4ae0-b1d7-bde60e245d90

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3558294865-3673844354-2255444939-1000\0f5007522459c86e95ffcc62f32308f1_39fbc0df-d496-4ae0-b1d7-bde60e245d90

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2qyx1pp1\2qyx1pp1.0.cs

Filesize
3KB

MD5
06227c0bb929f7a77c068fc3755b041c

SHA1
f142b32ffa1f828a9dce64141ea8af44f67a1356

SHA256
3a5840a67ce41aecc62d06ed3e85422aca6e0258df6de0d1696a646dcd059d02

SHA512
52fef4583ecd7516a1807531e0c6ab8747343e2ecf38c89b890a72e0523e6f7c9ac6b7b7f340c879c678e31e0c4fd62d6dd188b6d8d613ced36f5aa5ea66d7ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2qyx1pp1\2qyx1pp1.cmdline

Filesize
312B

MD5
d8e035d45305dffdaa1463e68ecabe16

SHA1
bdb8210e4d8fdaaf3aff3e102a31891fb0ea6da9

SHA256
6e79ab63a956579ede49d7a52eca5e8af8d2d230b2cf08d943ef2b994035402f

SHA512
cdd3e48a52c95ea9db9ff0d169068b1575d08692de4d77b10a4d4007eed288492d2b404b7ef7915d1cb9b5264773d9eabbf3425713e018120ceef1991b814064

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2qyx1pp1\CSC3F931B3217824571A4B2B825A2304CD.TMP

Filesize
1KB

MD5
67ba30de6b9be3e79de619bb619be847

SHA1
69a6247252379cbcaa9741d59ce546e7d2782e09

SHA256
c7fcd7e7bd9d6cb89fc6ca22e6f18f97449a5bd61a76cc792334ec8f6e05c5fd

SHA512
a908fe8fe50fdca5fd68f1d240fe21c755c0c08e976e943c08e211e61ed8c10feb717f06bc7bade65bf03589309eb2ea7d6e4498f9a33f8487b294b5608760ab

Download Submit
memory/868-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/868-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/868-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/868-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5060-0-0x000000007538E000-0x000000007538F000-memory.dmp

Filesize
4KB

Download
memory/5060-22-0x00000000050D0000-0x0000000005172000-memory.dmp

Filesize
648KB

Download
memory/5060-23-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download
memory/5060-17-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/5060-21-0x0000000004F00000-0x0000000004F0C000-memory.dmp

Filesize
48KB

Download
memory/5060-20-0x00000000050A0000-0x00000000050CA000-memory.dmp

Filesize
168KB

Download
memory/5060-29-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/5060-5-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/5060-1-0x0000000000540000-0x00000000005A8000-memory.dmp

Filesize
416KB

Download
memory/5060-19-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing