General

  • Target

    66ba1cf701941ec97285cf498ab67b9b_JaffaCakes118

  • Size

    564KB

  • Sample

    240522-kys3eaab9y

  • MD5

    66ba1cf701941ec97285cf498ab67b9b

  • SHA1

    4be68c2581e02e36b0511792d8f564d8401ef5e7

  • SHA256

    faa03d8c2d40970ea9355723cd5bc393b8223ca964b2cb79a9e8c104e4c2d8c6

  • SHA512

    81f578c9b83db8cddd378fe26f20821e57d4f7a08d8eb9d7d1ee0356293c6a1c65ed76b1fd36598b61233ffe19791a9ae32b3d7021d4b73840111df7301de300

  • SSDEEP

    6144:Xrcg1wmtpg5gyjAzY+1HXsK7wCCZPj2zDIY63Q62:bcZKz3FeVt3Q6

Malware Config

Extracted

Family

lokibot

C2

http://infres.in/okoye/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      66ba1cf701941ec97285cf498ab67b9b_JaffaCakes118

    • Size

      564KB

    • MD5

      66ba1cf701941ec97285cf498ab67b9b

    • SHA1

      4be68c2581e02e36b0511792d8f564d8401ef5e7

    • SHA256

      faa03d8c2d40970ea9355723cd5bc393b8223ca964b2cb79a9e8c104e4c2d8c6

    • SHA512

      81f578c9b83db8cddd378fe26f20821e57d4f7a08d8eb9d7d1ee0356293c6a1c65ed76b1fd36598b61233ffe19791a9ae32b3d7021d4b73840111df7301de300

    • SSDEEP

      6144:Xrcg1wmtpg5gyjAzY+1HXsK7wCCZPj2zDIY63Q62:bcZKz3FeVt3Q6

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Collection

Email Collection

1
T1114

Tasks