lokibot | d3a1e1811321d144c179bc3b00236b7a991bfd8358a93b807c513b3943a7c342

General

Target

77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
Size

416KB
MD5

77e1ecfacc8c3444831d0866058c2ed1
SHA1

84ae5e8906cf1c3877d5e838e3b82ad92fbd72be
SHA256

d3a1e1811321d144c179bc3b00236b7a991bfd8358a93b807c513b3943a7c342
SHA512

60c5ca25ca170d5bd77fda2dfa8248a2048c1a5b5d635b319257ebe94e9541f16d536a39cfd8b00e659f86c356a397c10c947cba20a63257faeae8b71dababe2
SSDEEP

3072:Y9yn+7IZ/8XWjLIFmL4oHBFXBgQzdGLbGvFcF2o4z/sLaK:e6+sZ/1V4oHfXJzg2c8obb

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/emmagroup/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Drops startup file 1 IoCs

Processes:

77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe

description pid process target process

PID 2292 set thread context of 2928 2292 77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe

pid process

2292 77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
2292 77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exevbc.exe

description pid process

Token: SeDebugPrivilege 2292 77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
Token: SeDebugPrivilege 2928 vbc.exe

description	pid	process	target process
PID 2292 set thread context of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe

pid	process
2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
Token: SeDebugPrivilege	2928	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 2292 wrote to memory of 2204	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	csc.exe
PID 2292 wrote to memory of 2204	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	csc.exe
PID 2292 wrote to memory of 2204	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	csc.exe
PID 2292 wrote to memory of 2204	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	csc.exe
PID 2204 wrote to memory of 2884	2204	csc.exe	cvtres.exe
PID 2204 wrote to memory of 2884	2204	csc.exe	cvtres.exe
PID 2204 wrote to memory of 2884	2204	csc.exe	cvtres.exe
PID 2204 wrote to memory of 2884	2204	csc.exe	cvtres.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe
PID 2292 wrote to memory of 2928	2292	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v1crzcwq\v1crzcwq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFBF.tmp" "c:\Users\Admin\AppData\Local\Temp\v1crzcwq\CSC9E35870D638040D78E4EEFD2EC6B7193.TMP"
    3⤵
    PID:2884
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAFBF.tmp

Filesize
1KB

MD5
1e5af656d1726fbd9e55b4190b7151fe

SHA1
bac4c505fae5927bfe73c2851f9349bd7ddf6e79

SHA256
35f0bf5928a16134f4fdba15d7ca9afc394dcd2b883a3f706a81328af0a403d4

SHA512
5e666e4a611e3be3f77553571893c0817dbb5180e0b96d956a3f34c2d564bdf939ea9714646247e74dba21290151ccafef6a84486e7f24df883a1bac5d7e0756

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1crzcwq\v1crzcwq.dll

Filesize
8KB

MD5
a9c381ab71f6cfa7eb40e90907c02dd6

SHA1
8538ae6901f339e041d144c7b9f4ed7a34338a10

SHA256
8838cdefccfc63e38ed442455e5b6797901984b6957f60f04eb645dbea502dda

SHA512
bb35a9222fd865a11d7abe2127993d53a0a704574e68a654a439c9431b63ba6e4d4a18cd923dacdc8be9dcee8689c1b0466a9bb2b0f6e6c5b759a107371a0c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1crzcwq\v1crzcwq.pdb

Filesize
27KB

MD5
7686be7dcb820fe874a6648466dd8765

SHA1
78fc3132b9992dddea3a755aead73eb885d3cdf0

SHA256
13189f5b762a3136e7a807ddd28644f7826d3d2636ee21c7a2c199c92eb33006

SHA512
32ca6ee05503dba25dac27121c77cef1a9396cd618f6c0abe29a56d435efdf001d22b476c736af529e4cefe46923bd794978adf84edd3b61df28c9849941eb60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1crzcwq\CSC9E35870D638040D78E4EEFD2EC6B7193.TMP

Filesize
1KB

MD5
9b28473f5fa0eaee80322b43b59fdd51

SHA1
e33a272947a1d6da110dc419658b802c6cafa5bc

SHA256
0b64de30a021f6cf337a44ee817e747e5937f5ca522adb049e8c3de6ecb89375

SHA512
61b1eb414b02be5f0e6c7934fece0d4c3f3918ff79a52f8610d5849657cd6e5ff5dc74ecb1a5954d3986e3b48571e556a9b50100d0dbd5b01f4b947f0f393ae1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1crzcwq\v1crzcwq.0.cs

Filesize
17KB

MD5
4445deffd905352c96151d14a9f16bcf

SHA1
299fc32f6415043a446ce5226fce076f15ef658e

SHA256
b759404b932f3ba76d927d86d687a7308b0400a203288286a8dfba261310f3c7

SHA512
bdc955d422dc836680ea2bbf966c80a1b154cf35fc2e1f9f1594eb124dddd82a93aadec1fe633edb8cc3339c149cb41b9c6478e945833ba40aaaebb15c20665a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1crzcwq\v1crzcwq.cmdline

Filesize
312B

MD5
8e409d9376a5968c65ca28e9ec3c8416

SHA1
292834ae8781b473aed29eba71a4e264028b69af

SHA256
b8095a9814da61a92722ad2ec27812a2afe44246e2083ecb10cb8b9faa1e799e

SHA512
92188ef62ebd4a873672b283bf23f58863ccef1a6765d867e5e878f1a64d0c1803ae2ddf2692accae007a0ae29c3e821aee359367af084c729f9acbccdd9510e

Download Submit
memory/2292-21-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2292-3-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-18-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2292-20-0x0000000000AC0000-0x0000000000AEA000-memory.dmp

Filesize
168KB

Download
memory/2292-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/2292-24-0x0000000000A30000-0x0000000000AD2000-memory.dmp

Filesize
648KB

Download
memory/2292-1-0x00000000012A0000-0x00000000012DC000-memory.dmp

Filesize
240KB

Download
memory/2292-2-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2292-36-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads