lokibot | 5e924002b4bf7fd9e352343108e3f540_JaffaCakes118 | Triage

Sharing

General

Target

5e924002b4bf7fd9e352343108e3f540_JaffaCakes118
Size

50KB
MD5

5e924002b4bf7fd9e352343108e3f540
SHA1

0e189c6d66c63d3a001778d74743209cf93f6342
SHA256

fc8556b22182db7fb639bb208764ec4f49e625a95d6a07562c3614316a4d1f40
SHA512

b1c6b8e297f58c4e231e804b1cfa35795b0136e9281ed482fa0afe6e64422e991b686f22a98ca49564c4a45ff370722f1e38e52c8343c25298635b3be7a50e21
SSDEEP

768:NKCqydsX95Cwip2159aJ8llhqDTVT6KzCuGks8c/Prv1WzB6LtfbnUiPYC236U4P:Ne7tHipEp1uhzdtckBat06UKXF31KG

Score

10^/10

lokibot

Malware Config

Extracted

Family

lokibot

C2

http://omann.ir/swagger/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot family
lokibot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/1f87ec0c553dfc88312305cd316b469eb645384e

Files

5e924002b4bf7fd9e352343108e3f540_JaffaCakes118
.gz
1f87ec0c553dfc88312305cd316b469eb645384e
.exe windows:5 windows x86 arch:x86

0239fd611af3d0e9b0c46c5837c80e09

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

getaddrinfo
freeaddrinfo
closesocket
WSAStartup
socket
send
recv
connect

kernel32

GetProcessHeap
HeapFree
HeapAlloc
SetLastError
GetLastError

ole32

CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

VariantInit
SysFreeString
SysAllocString

Sections

.text
Size: 78KB - Virtual size: 77KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 535KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.x
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE