lokibot | d3a1e1811321d144c179bc3b00236b7a991bfd8358a93b807c513b3943a7c342

General

Target

77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
Size

416KB
MD5

77e1ecfacc8c3444831d0866058c2ed1
SHA1

84ae5e8906cf1c3877d5e838e3b82ad92fbd72be
SHA256

d3a1e1811321d144c179bc3b00236b7a991bfd8358a93b807c513b3943a7c342
SHA512

60c5ca25ca170d5bd77fda2dfa8248a2048c1a5b5d635b319257ebe94e9541f16d536a39cfd8b00e659f86c356a397c10c947cba20a63257faeae8b71dababe2
SSDEEP

3072:Y9yn+7IZ/8XWjLIFmL4oHBFXBgQzdGLbGvFcF2o4z/sLaK:e6+sZ/1V4oHfXJzg2c8obb

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/emmagroup/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
Token: SeDebugPrivilege	2276	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3436	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	82
PID 3588 wrote to memory of 3436	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	82
PID 3588 wrote to memory of 3436	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	82
PID 3436 wrote to memory of 4620	3436	csc.exe	86
PID 3436 wrote to memory of 4620	3436	csc.exe	86
PID 3436 wrote to memory of 4620	3436	csc.exe	86
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87
PID 3588 wrote to memory of 2276	3588	77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77e1ecfacc8c3444831d0866058c2ed1_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mf2cxnot\mf2cxnot.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F4B.tmp" "c:\Users\Admin\AppData\Local\Temp\mf2cxnot\CSC2D9031DD85E44B119C83A04EC83A7213.TMP"
    3⤵
    PID:4620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3F4B.tmp

Filesize
1KB

MD5
d314823fb711b5eb67220cf0841c45a5

SHA1
87a3800902c4cfb704dfe3d1dae0251077429e7d

SHA256
991c17a851d2c999914ae08cd3d6113ea49f0d7c4ddef08dea55fda48447082b

SHA512
e95a9ffb3615ee60bb2e067280862b3933fc972128ca9d365f94b1b9de29cb586ebc372704a15a40adafc8a77d695209edb55ea02f3cfe41d31e49a1215138f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mf2cxnot\mf2cxnot.dll

Filesize
8KB

MD5
6eda2ea967d8c575e04ba0b35190a887

SHA1
a9fe820cb79ccc227ebf3f63367f81fd1d21a8f9

SHA256
e347b1300185b6914559fe26ad7ea2643af388feca2046e269723dbe01860c87

SHA512
d20d1bae31141ec31b78f3929e93345f767e92eca3d6cccf3d3931aee12a1d5d975365cbf1594b65eb882dd5eaccf0d570d8ac9f09e71876e34df37e0b51f224

Download Submit
C:\Users\Admin\AppData\Local\Temp\mf2cxnot\mf2cxnot.pdb

Filesize
27KB

MD5
639ec6a0b4eba1293196c75c5342d6dd

SHA1
d8d4a0b5f2e77ca391c2fc4dfba73c0cfe8acf71

SHA256
3a100f5bf082d185dab89ff3d2b8f6d516392fa4718e2b6a24d7a4868b58c1ec

SHA512
93545bfc61f167c57cdf4ade66d14696cbdb0750f13b4c34b35a4ec5139b08360c670cc594be8ff56671ff68978bb9065390afc90659fc142602e8aba4f2de3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mf2cxnot\CSC2D9031DD85E44B119C83A04EC83A7213.TMP

Filesize
1KB

MD5
983ae49f75682d6b86500d88334b9d70

SHA1
2edf71dac79829a77f553a95ffa766b62410ce40

SHA256
4d5040bb072c0618d88bde25d8af230474a276b53ed0e59d57230af9e51542cd

SHA512
863e3a90beaa3dabc3f884a47ddbbf3067ae52777fcd57429616fe03c8de20f4dc41aa7af115be8669c00a4731dfe2ef68ffe544001221c0082b6aa64070ac51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mf2cxnot\mf2cxnot.0.cs

Filesize
17KB

MD5
4445deffd905352c96151d14a9f16bcf

SHA1
299fc32f6415043a446ce5226fce076f15ef658e

SHA256
b759404b932f3ba76d927d86d687a7308b0400a203288286a8dfba261310f3c7

SHA512
bdc955d422dc836680ea2bbf966c80a1b154cf35fc2e1f9f1594eb124dddd82a93aadec1fe633edb8cc3339c149cb41b9c6478e945833ba40aaaebb15c20665a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mf2cxnot\mf2cxnot.cmdline

Filesize
312B

MD5
50b586293cc25869f97ada49de133eff

SHA1
8c8e30151a48e7cb78830dbd86d81071359ef627

SHA256
521d1e25e5ce176186470a129331aafff982b6561ee90feaad62d1a206bae3db

SHA512
a5ac1bcc83419772055ceaf6e547397eca7ebf0b1d6a77628c40cd20e48e36fa3de0ccbd5a3e42e379416da6a931004d6574637900b54afaeeedef6f34e15500

Download Submit
memory/2276-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2276-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2276-30-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2276-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3588-25-0x0000000004B90000-0x0000000004C32000-memory.dmp

Filesize
648KB

Download
memory/3588-22-0x0000000004B70000-0x0000000004B7C000-memory.dmp

Filesize
48KB

Download
memory/3588-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/3588-26-0x0000000005180000-0x000000000521C000-memory.dmp

Filesize
624KB

Download
memory/3588-21-0x0000000004B40000-0x0000000004B6A000-memory.dmp

Filesize
168KB

Download
memory/3588-31-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/3588-19-0x0000000004AA0000-0x0000000004AA8000-memory.dmp

Filesize
32KB

Download
memory/3588-3-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/3588-2-0x00000000049B0000-0x0000000004A42000-memory.dmp

Filesize
584KB

Download
memory/3588-1-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/3588-4-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing