lokibot | 7882347c14ed4d3a27ac3aebde40400b1c662ae548abd1d9af165cfaf5205f34

General

Target

8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe
Size

1.2MB
MD5

8fb8dec6e12d4cb320e9a10f72f3dc1e
SHA1

181ca1109b42aa4ed4211acc3e802353d58063ba
SHA256

7882347c14ed4d3a27ac3aebde40400b1c662ae548abd1d9af165cfaf5205f34
SHA512

ba9a860e370dfeb8379dc62059ffed654b686fb2f303c89e83b7416818d20259c28dd74d0da7d953555dd0af3381c840c007c43f59e1f1cca5a0cd5ada5bef9b
SSDEEP

24576:PpogCDjzcHuCVB2S/rGmrNQUgQDWzbnmAAFudCrHwQ:P25j0jGqiUPDT62

Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://xojine.tech/bulo2/cat.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-1413-0x0000000010410000-0x0000000010449000-memory.dmp	modiloader_stage2
behavioral1/memory/2492-1436-0x0000000010410000-0x0000000010449000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

jkcgjj.exejkcgjj.exejkcgjj.exe

pid process

2284 jkcgjj.exe
2492 jkcgjj.exe
2252 jkcgjj.exe
Loads dropped DLL 4 IoCs

Processes:

8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exejkcgjj.exejkcgjj.exe

pid process

2868 8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe
2868 8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe
2284 jkcgjj.exe
2492 jkcgjj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2284	jkcgjj.exe
2492	jkcgjj.exe
2252	jkcgjj.exe

pid	process
2868	8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe
2868	8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe
2284	jkcgjj.exe
2492	jkcgjj.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jkcgjj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	jkcgjj.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	jkcgjj.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	jkcgjj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jkcgjj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkcgjj = "C:\\Users\\Admin\\AppData\\Local\\jkcgjj\\jkcgjj.vbs"	jkcgjj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

jkcgjj.exe

description pid process target process

PID 2492 set thread context of 2252 2492 jkcgjj.exe jkcgjj.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jkcgjj.exe

description pid process

Token: SeDebugPrivilege 2252 jkcgjj.exe

description	pid	process	target process
PID 2492 set thread context of 2252	2492	jkcgjj.exe	jkcgjj.exe

description	pid	process
Token: SeDebugPrivilege	2252	jkcgjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exejkcgjj.exe

description	pid	process	target process
PID 2868 wrote to memory of 2284	2868	8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe	jkcgjj.exe
PID 2868 wrote to memory of 2284	2868	8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe	jkcgjj.exe
PID 2868 wrote to memory of 2284	2868	8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe	jkcgjj.exe
PID 2868 wrote to memory of 2284	2868	8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe
PID 2284 wrote to memory of 2492	2284	jkcgjj.exe	jkcgjj.exe

outlook_office_path 1 IoCs

Processes:

jkcgjj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	jkcgjj.exe

outlook_win_path 1 IoCs

Processes:

jkcgjj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	jkcgjj.exe

C:\Users\Admin\AppData\Local\Temp\8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8fb8dec6e12d4cb320e9a10f72f3dc1e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\jkcgjj.exe
C:\Users\Admin\AppData\Local\Temp\jkcgjj.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\jkcgjj.exe
C:\Users\Admin\AppData\Local\Temp\jkcgjj.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2492

C:\Users\Admin\AppData\Local\Temp\jkcgjj.exe
"C:\Users\Admin\AppData\Local\Temp\jkcgjj.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jkcgjj.jpg
Filesize
210KB

MD5
ae1f66f35e91307c390d79df14dd8d61

SHA1
5cf0816343af8eeccf2cb03ef8a370d4f08d73cf

SHA256
21d36ac537a0a0cfaa0ae56edd0d40c8f7be1c5d2b58c6cefcdbfd6cb19741c0

SHA512
c6da5920bd2ac42a35bb967b24bcd892ed2da77d83168c410c56e2c32f66726bf750e90e45ae0435827870a1fc85eb443a7a59fb438e6d8537da9ffebc70b904

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\jkcgjj.exe
Filesize
394KB

MD5
8b49d2c49c43b1f71e73ccc34f9b3da2

SHA1
bd8c83684f42197eb4bf2f025dc1d52147a60f4d

SHA256
9c1b99aadbfb33fdd546f147a84e6ef956d3e301de914b18ce56b7705b5a9412

SHA512
61b6ab038f898384a71aa4a6d136eca390cdaa2bbca11cbf8743972ad1dc5167fb4c979591dd67000f0c50838be260a6d8f5c2c0f1d59dc146ad608fcbf1fe61

Download Submit
memory/2252-1433-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2252-1480-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2284-29-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2284-12-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2284-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-26-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2492-34-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2492-1413-0x0000000010410000-0x0000000010449000-memory.dmp

Filesize
228KB

Download
memory/2492-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-1436-0x0000000010410000-0x0000000010449000-memory.dmp

Filesize
228KB

Download
memory/2868-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2868-9-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads