lokibot | ad817bd5a7508402452d84a552cfb44361889fe0e57bcbe41015f88c639bb78f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b70f3d86655835f7049ab38c44d7c51_JaffaCakes118.msi
Size

964KB
MD5

8b70f3d86655835f7049ab38c44d7c51
SHA1

936eb774499e15ff5fdc8dbb5ed0be0daf32e8a2
SHA256

ad817bd5a7508402452d84a552cfb44361889fe0e57bcbe41015f88c639bb78f
SHA512

8810071bb87c7c3e5945011331a8707e1b3d4abde42f6fbf881323ed796de52a324dc29a1af500497dfa8868195aba912fa910c4ada2e06c57abb7b0fa237d3a
SSDEEP

12288:fE/McR5BLmwCKODs/KcrE693vojvq46MjAfituvhE6+9e3jG+PkPgFPdWTxDwFnI:fE0c3BCTK059693vorbnAiuqr2

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://parkerhdd.com/wp-admin/network/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2916	2796	MSI2696.tmp	33

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7624c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7624c0.msi	msiexec.exe
File created	C:\Windows\Installer\f7624c3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2607.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2696.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7624c3.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	MSI2696.tmp
2916	MSI2696.tmp

Loads dropped DLL 1 IoCs

pid	Process
2796	MSI2696.tmp

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	msiexec.exe
2580	msiexec.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3032	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeSecurityPrivilege	2580	msiexec.exe
Token: SeCreateTokenPrivilege	3032	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3032	msiexec.exe
Token: SeLockMemoryPrivilege	3032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3032	msiexec.exe
Token: SeMachineAccountPrivilege	3032	msiexec.exe
Token: SeTcbPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeLoadDriverPrivilege	3032	msiexec.exe
Token: SeSystemProfilePrivilege	3032	msiexec.exe
Token: SeSystemtimePrivilege	3032	msiexec.exe
Token: SeProfSingleProcessPrivilege	3032	msiexec.exe
Token: SeIncBasePriorityPrivilege	3032	msiexec.exe
Token: SeCreatePagefilePrivilege	3032	msiexec.exe
Token: SeCreatePermanentPrivilege	3032	msiexec.exe
Token: SeBackupPrivilege	3032	msiexec.exe
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeShutdownPrivilege	3032	msiexec.exe
Token: SeDebugPrivilege	3032	msiexec.exe
Token: SeAuditPrivilege	3032	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3032	msiexec.exe
Token: SeChangeNotifyPrivilege	3032	msiexec.exe
Token: SeRemoteShutdownPrivilege	3032	msiexec.exe
Token: SeUndockPrivilege	3032	msiexec.exe
Token: SeSyncAgentPrivilege	3032	msiexec.exe
Token: SeEnableDelegationPrivilege	3032	msiexec.exe
Token: SeManageVolumePrivilege	3032	msiexec.exe
Token: SeImpersonatePrivilege	3032	msiexec.exe
Token: SeCreateGlobalPrivilege	3032	msiexec.exe
Token: SeBackupPrivilege	2724	vssvc.exe
Token: SeRestorePrivilege	2724	vssvc.exe
Token: SeAuditPrivilege	2724	vssvc.exe
Token: SeBackupPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2508	DrvInst.exe
Token: SeRestorePrivilege	2508	DrvInst.exe
Token: SeRestorePrivilege	2508	DrvInst.exe
Token: SeRestorePrivilege	2508	DrvInst.exe
Token: SeRestorePrivilege	2508	DrvInst.exe
Token: SeRestorePrivilege	2508	DrvInst.exe
Token: SeRestorePrivilege	2508	DrvInst.exe
Token: SeLoadDriverPrivilege	2508	DrvInst.exe
Token: SeLoadDriverPrivilege	2508	DrvInst.exe
Token: SeLoadDriverPrivilege	2508	DrvInst.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeDebugPrivilege	2796	MSI2696.tmp
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3032	msiexec.exe
3032	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2796	2580	msiexec.exe	32
PID 2580 wrote to memory of 2796	2580	msiexec.exe	32
PID 2580 wrote to memory of 2796	2580	msiexec.exe	32
PID 2580 wrote to memory of 2796	2580	msiexec.exe	32
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33
PID 2796 wrote to memory of 2916	2796	MSI2696.tmp	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b70f3d86655835f7049ab38c44d7c51_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\Installer\MSI2696.tmp
  "C:\Windows\Installer\MSI2696.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\Installer\MSI2696.tmp
    "C:\Windows\Installer\MSI2696.tmp"
    3⤵
    - Executes dropped EXE
    PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A0" "000000000000057C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7624c4.rbs

Filesize
663B

MD5
2024b5b07395d9f341af0637b5346e2e

SHA1
a3cee268eb81e2b682b94887efb83058abf43f7a

SHA256
133810c7d9c665f03a4cc30a3d61e17583daf015f17ebbe270e88f1a70bd7867

SHA512
ae6d4cba937d8d05e8a4843309810392946f36755bf7621c8235a15efc8401739b22d4c7ec7bd750910e2a208ec94526ff11d503bcfbfa7b0bcd53ec9fd768d9

Download Submit
C:\Windows\Installer\MSI2696.tmp

Filesize
937KB

MD5
19b36f0c94238b00c6646276e8ff2f1e

SHA1
59a7bb1e0d7f027b03ec9564c3ccca707fad936a

SHA256
fb4e984a7c215e035209fcd485be7051f13ad0ccc8eb3cc08d6e5c95012444ba

SHA512
d44de256bab852afad797e7a8f1de7566670aeae8f5b17ae43e037e2fc7ca5321af404a8661e57bfceff3b0145f355abc08cc65c42e3a54a1e8b5f1eeee7f975

Download Submit
memory/2916-20-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2916-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-13-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2916-15-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2916-23-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2916-26-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2916-17-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download