lokibot | 0fe1101fbf2ad4cb5e1a24aaaf9ccf3b42495cc1af0dbeed41d946e12090ea32

General

Target

7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe
Size

856KB
MD5

7c5469a4c1c1c75d2b25abc58d084a3f
SHA1

f84a814858846b0041fe7746799390eb1758f41e
SHA256

0fe1101fbf2ad4cb5e1a24aaaf9ccf3b42495cc1af0dbeed41d946e12090ea32
SHA512

86a19da8735b1332bb45c49fef3949138840eefccff49822fa1fa2176588381930d121f8de14b660aa11e01dcf762d723d5b7f1bf4e3a4caee9432ee8efc0766
SSDEEP

24576:0k6+c2dm2AzwLFv24cHJHbefui0Cy6fOIcRCl:0bHsQ3HJHyfui0CbfOk

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://erxst.info/bjoe/herold/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
2640	dfpmwtafx.exe
2484	dfpmwtafx.exe

Loads dropped DLL 6 IoCs

pid	Process
1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe
1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe
1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe
1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe
1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe
2640	dfpmwtafx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dfpmwtafx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dfpmwtafx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dfpmwtafx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfpmwt = "C:\\Users\\Admin\\AppData\\Local\\dfpmwt\\dfpmwtnak.vbs"	dfpmwtafx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 2484	2640	dfpmwtafx.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	dfpmwtafx.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2640	1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2640	1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2640	1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2640	1936	7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe	28
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 2484	2640	dfpmwtafx.exe	29
PID 2640 wrote to memory of 1576	2640	dfpmwtafx.exe	30
PID 2640 wrote to memory of 1576	2640	dfpmwtafx.exe	30
PID 2640 wrote to memory of 1576	2640	dfpmwtafx.exe	30
PID 2640 wrote to memory of 1576	2640	dfpmwtafx.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dfpmwtafx.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dfpmwtafx.exe

C:\Users\Admin\AppData\Local\Temp\7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c5469a4c1c1c75d2b25abc58d084a3f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\dfpmwtafx.exe
  "C:\Users\Admin\AppData\Local\Temp\dfpmwtafx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\dfpmwtafx.exe
    "C:\Users\Admin\AppData\Local\Temp\dfpmwtafx.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\dfpmwt\dfpmwtMw.vbs"
    3⤵
    PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfpmwt.bmp

Filesize
551KB

MD5
76971752a16af393810934c9c227a3cc

SHA1
b2484686e98e07514e271c3157f066eef98a4f61

SHA256
e765e2f26284b82767886e703d67e39ffcad85ae74cdc2905340773263d1838c

SHA512
a7aa7501c968f5caf3040124be6b5cd89356cf60b73a2041bb9132baa7ee8a5e65daf51354adffbf7d0ee6665aec610cdf0d3d62e82580eb7422a2c542bcd597

Download Submit
C:\Users\Admin\AppData\Local\dfpmwt\dfpmwtMw.vbs

Filesize
304B

MD5
bc676f349b719de4d38639b0ed71a9db

SHA1
216f17c785dd0cf92d0f41cd75740dc9f77943eb

SHA256
de8749857f8eacdcda4bb78ae915c55cfbbd65620e04cd1132f61a115a9ca41f

SHA512
6e11baf33c0a760b296b23bd9441f8c281121f22ad7fdc258b5b2936a0c332e8718b34d3a9ab8c990540b03b0b423690c30bdc1507133f150eb2fdd8e6a39909

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\dfpmwtafx.exe

Filesize
454KB

MD5
63f99a85eb006bf37643b25e326606b8

SHA1
9d17305cc333f014719ff69c6bf8e3ae152ff198

SHA256
762f79ff49ac45bdaea97ff72c84c355c2f236385a5594b6d53f215f89d9a760

SHA512
b851e700422ee65a2f4e1686518ef6d9f0e210c7633dfa3c10b908c0de5755995ec8816f97e9585eeeaf3b302b0204e5acd8c2ae88e5ea1b7e7377894527f24a

Download Submit
memory/2484-48-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-36-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-42-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-49-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-30-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-91-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2640-21-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2640-20-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2640-56-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2640-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads