General

  • Target

    75235aba5043e178ecab25e73f783678_JaffaCakes118

  • Size

    1.6MB

  • Sample

    240526-l68y9sef7t

  • MD5

    75235aba5043e178ecab25e73f783678

  • SHA1

    6ac406887d63583e4f8bf0b5174d001948cebf75

  • SHA256

    0ef10dbdd0a9809fd4079bcb2419406b53a9e60e1ecb38d48fa8a6b9eb461019

  • SHA512

    b5c49536c00824268950e12c17ce2d0976ac593bddf2f994e9513d565b2725a1f0d672f9cac41e33649d1cba0e89b65c0ac5449bbcdc3f659c3d643afe0d7724

  • SSDEEP

    24576:tlWn8RZz/gMbER1dGT3OcQc+foeHi7YmJXFsoPvWZ:t/RZDgqER1dGT3OcQc+foeHE5Fso3W

Malware Config

Extracted

Family

lokibot

C2

http://51.89.163.167/200/zc-b/cat.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      75235aba5043e178ecab25e73f783678_JaffaCakes118

    • Size

      1.6MB

    • MD5

      75235aba5043e178ecab25e73f783678

    • SHA1

      6ac406887d63583e4f8bf0b5174d001948cebf75

    • SHA256

      0ef10dbdd0a9809fd4079bcb2419406b53a9e60e1ecb38d48fa8a6b9eb461019

    • SHA512

      b5c49536c00824268950e12c17ce2d0976ac593bddf2f994e9513d565b2725a1f0d672f9cac41e33649d1cba0e89b65c0ac5449bbcdc3f659c3d643afe0d7724

    • SSDEEP

      24576:tlWn8RZz/gMbER1dGT3OcQc+foeHi7YmJXFsoPvWZ:t/RZDgqER1dGT3OcQc+foeHE5Fso3W

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks