lokibot | cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724

General

Target

82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
Size

369KB
MD5

82aa9e8a427a68b553c11638d5913936
SHA1

72f06ec1d34a390572c1103f59221a2705b5dd81
SHA256

cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724
SHA512

2481e1a07af7fff4f3660b5e4b74255a272347c976852c5d2bc0e3321d941a65d312a5431265632714136c32ce62368765c295d5c6cadad129d5574038098de9
SSDEEP

6144:fl4X2seg8dDGkALc04T6o4/qN6FoINK6UZeTP5/0NVIMhgei2Ct:fSXSDucd42OtygP50VIMhgei2C

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://89.34.237.212/annonymous/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.l9ZwnHQMyfPBOfEt.lnk	76e5wde677gij7dr8i.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe	745y6et5ge44u.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe	745y6et5ge44u.exe

Executes dropped EXE 2 IoCs

pid	Process
1900	76e5wde677gij7dr8i.exe
2044	76e5wde677gij7dr8i.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	76e5wde677gij7dr8i.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 2044	1900	76e5wde677gij7dr8i.exe	32

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	745y6et5ge44u.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	745y6et5ge44u.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	76e5wde677gij7dr8i.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	76e5wde677gij7dr8i.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	745y6et5ge44u.exe
1900	76e5wde677gij7dr8i.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	745y6et5ge44u.exe
Token: SeDebugPrivilege	1900	76e5wde677gij7dr8i.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2820	2924	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2820	2924	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2820	2924	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2820	2924	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2416	2820	745y6et5ge44u.exe	29
PID 2820 wrote to memory of 2416	2820	745y6et5ge44u.exe	29
PID 2820 wrote to memory of 2416	2820	745y6et5ge44u.exe	29
PID 2820 wrote to memory of 2416	2820	745y6et5ge44u.exe	29
PID 2376 wrote to memory of 1900	2376	explorer.exe	31
PID 2376 wrote to memory of 1900	2376	explorer.exe	31
PID 2376 wrote to memory of 1900	2376	explorer.exe	31
PID 2376 wrote to memory of 1900	2376	explorer.exe	31
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32
PID 1900 wrote to memory of 2044	1900	76e5wde677gij7dr8i.exe	32

C:\Users\Admin\AppData\Local\Temp\82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\745y6et5ge44u.exe
  "C:\Users\Admin\AppData\Local\Temp\745y6et5ge44u.exe"
  2⤵
  - Drops startup file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe
    3⤵
    PID:2416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"
    3⤵
    - Executes dropped EXE
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe

Filesize
369KB

MD5
82aa9e8a427a68b553c11638d5913936

SHA1
72f06ec1d34a390572c1103f59221a2705b5dd81

SHA256
cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724

SHA512
2481e1a07af7fff4f3660b5e4b74255a272347c976852c5d2bc0e3321d941a65d312a5431265632714136c32ce62368765c295d5c6cadad129d5574038098de9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new

Filesize
872B

MD5
8abec608f7a5322b69bec3c0f55c6756

SHA1
8304aa6938c876026414377b878e69d00016e0fe

SHA256
fb5677ec5190c40603e6b373d10b5d0779d8c88b6583f13167b19b00f72ad0db

SHA512
9bbab384c7d5e2341a3a115575c8ada6a4992e197e0d8fc25794c090cd79f33ef024c8adef73568f5978408493618eaa565ea34dfd2880600a18492d052f3390

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new

Filesize
412B

MD5
02245097e104c1150c51103016a8f790

SHA1
1308e418c0c608c2dc9aa97b247f7f78655ed080

SHA256
c391d8ad8e873938bbd4e58f471b7f75dbbead8f521ccabc1f9c884bf2d777e3

SHA512
13efb14a9b8b952131a7c5a9e40be7eecc350aca018b4bc50ec0e5dffd075a968cc6d9d5740280b1bb027efe80212a6ebd5b376c3026be8132cce30dbba7095a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
478B

MD5
abec014e9a3d73a0cb0e75b2be23b46d

SHA1
c66def81c618918c3526f602cfd98ebd89a2eb31

SHA256
5b9f5e55017176a5066e6472b8161c61bbb6ae06f0db8c3b5736e66b02c637d4

SHA512
f1b9d8a1b5bea929b7e43e4fd2a781d2e6b00ae6e19de32e5700b3fa5db35ca3e21861a7b6e2f95c50258783ec7fee49a040242a4f70a559f577144565070752

Download Submit
memory/2044-33-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2820-7-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-11-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-12-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-6-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-22-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-0-0x0000000074171000-0x0000000074172000-memory.dmp

Filesize
4KB

Download
memory/2924-10-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-3-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-2-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-1-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing