lokibot | cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724

General

Target

82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
Size

369KB
MD5

82aa9e8a427a68b553c11638d5913936
SHA1

72f06ec1d34a390572c1103f59221a2705b5dd81
SHA256

cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724
SHA512

2481e1a07af7fff4f3660b5e4b74255a272347c976852c5d2bc0e3321d941a65d312a5431265632714136c32ce62368765c295d5c6cadad129d5574038098de9
SSDEEP

6144:fl4X2seg8dDGkALc04T6o4/qN6FoINK6UZeTP5/0NVIMhgei2Ct:fSXSDucd42OtygP50VIMhgei2C

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://89.34.237.212/annonymous/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe745y6et5ge44u.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	745y6et5ge44u.exe

Drops startup file 3 IoCs

Processes:

745y6et5ge44u.exe76e5wde677gij7dr8i.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe	745y6et5ge44u.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.IVorNG9g8kJELmX3.lnk	76e5wde677gij7dr8i.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe	745y6et5ge44u.exe

Executes dropped EXE 2 IoCs

Processes:

76e5wde677gij7dr8i.exe76e5wde677gij7dr8i.exe

pid process

728 76e5wde677gij7dr8i.exe
1988 76e5wde677gij7dr8i.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
728	76e5wde677gij7dr8i.exe
1988	76e5wde677gij7dr8i.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

76e5wde677gij7dr8i.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	76e5wde677gij7dr8i.exe
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	76e5wde677gij7dr8i.exe
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	76e5wde677gij7dr8i.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

76e5wde677gij7dr8i.exe

description pid process target process

PID 728 set thread context of 1988 728 76e5wde677gij7dr8i.exe 76e5wde677gij7dr8i.exe

description	pid	process	target process
PID 728 set thread context of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe

Drops file in Windows directory 6 IoCs

Processes:

745y6et5ge44u.exe76e5wde677gij7dr8i.exe82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	745y6et5ge44u.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	745y6et5ge44u.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	76e5wde677gij7dr8i.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	76e5wde677gij7dr8i.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

745y6et5ge44u.exe76e5wde677gij7dr8i.exe

pid process

5036 745y6et5ge44u.exe
728 76e5wde677gij7dr8i.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe

pid process

1184 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe

pid	process
5036	745y6et5ge44u.exe
728	76e5wde677gij7dr8i.exe

pid	process
1184	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe745y6et5ge44u.exe76e5wde677gij7dr8i.exe76e5wde677gij7dr8i.exe

description	pid	process
Token: SeDebugPrivilege	1184	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
Token: SeDebugPrivilege	5036	745y6et5ge44u.exe
Token: SeDebugPrivilege	728	76e5wde677gij7dr8i.exe
Token: SeDebugPrivilege	1988	76e5wde677gij7dr8i.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe745y6et5ge44u.exeexplorer.exe76e5wde677gij7dr8i.exe

description	pid	process	target process
PID 1184 wrote to memory of 5036	1184	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe	745y6et5ge44u.exe
PID 1184 wrote to memory of 5036	1184	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe	745y6et5ge44u.exe
PID 1184 wrote to memory of 5036	1184	82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe	745y6et5ge44u.exe
PID 5036 wrote to memory of 980	5036	745y6et5ge44u.exe	explorer.exe
PID 5036 wrote to memory of 980	5036	745y6et5ge44u.exe	explorer.exe
PID 5036 wrote to memory of 980	5036	745y6et5ge44u.exe	explorer.exe
PID 2392 wrote to memory of 728	2392	explorer.exe	76e5wde677gij7dr8i.exe
PID 2392 wrote to memory of 728	2392	explorer.exe	76e5wde677gij7dr8i.exe
PID 2392 wrote to memory of 728	2392	explorer.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe
PID 728 wrote to memory of 1988	728	76e5wde677gij7dr8i.exe	76e5wde677gij7dr8i.exe

outlook_office_path 1 IoCs

Processes:

76e5wde677gij7dr8i.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	76e5wde677gij7dr8i.exe

outlook_win_path 1 IoCs

Processes:

76e5wde677gij7dr8i.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	76e5wde677gij7dr8i.exe

C:\Users\Admin\AppData\Local\Temp\82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\745y6et5ge44u.exe
"C:\Users\Admin\AppData\Local\Temp\745y6et5ge44u.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe
3⤵
PID:980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe

Filesize
369KB

MD5
82aa9e8a427a68b553c11638d5913936

SHA1
72f06ec1d34a390572c1103f59221a2705b5dd81

SHA256
cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724

SHA512
2481e1a07af7fff4f3660b5e4b74255a272347c976852c5d2bc0e3321d941a65d312a5431265632714136c32ce62368765c295d5c6cadad129d5574038098de9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
412B

MD5
d4c76fea00f592dccb2151c47d84737e

SHA1
a060712e8af050137fb590a1c719bf0e2172e2b5

SHA256
72fe054aa9311aa3c3f11378976020e9a0d820b37325e497392319fbdd6a9891

SHA512
7636853c8de940a37bb03842478344c9e3937d14809da4270784581ec74371d5e728ef4d094e91f5482897933a59899dfa89c04ce387dbff8dd586ce1c22ad62

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
842B

MD5
3a943f963896afc590980b5d20c345d4

SHA1
34615e0a7ba24820cd35e097fbc37aea61b3317f

SHA256
1884b7fb244afd1ada33bc01332264d33ad6cf133bf4e7bc4f44cd42cbf66fcd

SHA512
3ea8313ff897b60e880b3c719bae7c8d0ea3932b3459380190a90ebb80303423428c02cc7039b81ffc332fe0a340f6607c82eaec616a8815428aba40b51e6850

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
478B

MD5
be95540bf1c781a3e618b762129b3ed0

SHA1
8d3a832b558d050b5f320c1a7f2432481c486686

SHA256
fde2f75e0f1cb4dfbaee68dee5e87d15988221bd41623f3cfced7f4c07b5de74

SHA512
532667247a75b43c4260e43d2dd23e83ec8df336ea4774207aa614f92340d47ded39c61ff1c1ea8117ebe2a4479070dac095ec6e6431936dcc19b34f4fb9aed0

Download Submit
memory/1184-0-0x0000000075582000-0x0000000075583000-memory.dmp

Filesize
4KB

Download
memory/1184-1-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/1184-13-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/1184-2-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/1184-3-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/1988-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1988-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1988-59-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5036-8-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5036-24-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5036-11-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5036-14-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5036-12-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads