lokibot | 699af86e7899b90b59a24daae57f0fa860bda79c0256e539847ffaf33589b7d7

General

Target

9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
Size

332KB
MD5

9e860f66b980168829ab013924b0df6e
SHA1

c4bb460d490634155ae089641dd048d4bbfde15f
SHA256

699af86e7899b90b59a24daae57f0fa860bda79c0256e539847ffaf33589b7d7
SHA512

034c78512912aa6ab0ad6cae9d1df22ad5de55f7353bbb8d809cf3afe4a2083d0f6d38c237e5a4d5d0b4d241f6ee08ead2d2a555d7309685a54cad8b9c39dbe6
SSDEEP

6144:sfpuJGCZ9nVJb3EsWDlgfej/zEGOHb6+a:/JB9VJbFsIE

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/glory/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
Token: SeDebugPrivilege	2084	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2916	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2916	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2916	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2916	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	28
PID 2916 wrote to memory of 1088	2916	csc.exe	30
PID 2916 wrote to memory of 1088	2916	csc.exe	30
PID 2916 wrote to memory of 1088	2916	csc.exe	30
PID 2916 wrote to memory of 1088	2916	csc.exe	30
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2084	2428	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ftrqlsk5\ftrqlsk5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E88.tmp" "c:\Users\Admin\AppData\Local\Temp\ftrqlsk5\CSC4E87EC64A9684903BDDB7321E9A3EB7C.TMP"
    3⤵
    PID:1088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1E88.tmp

Filesize
1KB

MD5
08d4df351221550b50f8c914b03d2d90

SHA1
8a9cdbf7c441c55db3dac0227a758a81e6f0b105

SHA256
58da3adc99849a218c5156eeb61ad44ec05a37a88ef7d54848fb906cb903d9fa

SHA512
84ee97675961928d444325b77ffd9bac3089933728bea718d49c8ba77bf0333024549b10811e7fabde3f37f15eb3da3d78967dfe0aabadad201d68392f9a70b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftrqlsk5\ftrqlsk5.dll

Filesize
9KB

MD5
39bee592ae954d93c5b79afd142ae1d1

SHA1
beca7d352bb69a7a8140c397883182ca489d3a75

SHA256
f02aff6eaa106b0af433ec0ee78701dbd483ce9a4b23796fc84e247c8429c158

SHA512
df7f6c02986f9ca579fe22839c4192cc2a185b0ee7812d7e39fed16a053c7c1342ffaab1390b324a333922fdd732aeb06d4f74b5ce7dafe82a62bf5149675430

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftrqlsk5\ftrqlsk5.pdb

Filesize
25KB

MD5
62273553df4362b19c587c972b8e71fe

SHA1
823a8ae0a1dfa90f9bac47e36bb8c963d1ee2bff

SHA256
652bfee10302b568bfcd237d46e43f2a21e57ca4464970c89b8fd6879152c50b

SHA512
d19fa555a686ffbde3ab77282d99880af9fec4b72e20dea83979231538336dd83ceacb21902ffefd61e29e38a02c1473a0aa4786014b41e7163ab3dd131664dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2737914667-933161113-3798636211-1000\0f5007522459c86e95ffcc62f32308f1_07cfaa2b-05f3-43ad-9a8b-0541b0b16272

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2737914667-933161113-3798636211-1000\0f5007522459c86e95ffcc62f32308f1_07cfaa2b-05f3-43ad-9a8b-0541b0b16272

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftrqlsk5\CSC4E87EC64A9684903BDDB7321E9A3EB7C.TMP

Filesize
1KB

MD5
1b8e806b702af1cac044bedea2382114

SHA1
343d925ad391d14c2417a3dae9552e98c4b916c1

SHA256
f4968c461e3d6cb53d55344a54fc2f1d8f99bf73e10dd4f330664f6a1fa17fec

SHA512
1df4b824e9213e7adb3b607ff3d22580ddec3758aaa93d3af79a8ee9f94128a925288cef5d5ae6828720dd9a7e0c7871aa9c1dfc7f1a7ccf2823f87850a52488

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftrqlsk5\ftrqlsk5.0.cs

Filesize
12KB

MD5
69cf38cc60d4ffc53611a3120ffae24c

SHA1
7cd7f7e803b0ef88f52a6a99463399e433f1326b

SHA256
5bfc0757fc314c19fbeb4dad788455df3d39c1a795c9c3783c5598f9462ce81d

SHA512
a06092e67ead4524411520c8cffe026bb18fe4981c6794616617458e24ed337c6a240ea9ee5b12ae1172a91a5266b0935c1359e9ce58d9792b5f0bc1f135bfc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftrqlsk5\ftrqlsk5.cmdline

Filesize
312B

MD5
55a6cf2c92ef5faa545bf502a8c8ffd2

SHA1
74d7763c4932922889ecd3207aa1c5f90cfabd05

SHA256
1ddb23d2eb96fa7bd8d8f7f0a5016764aeabd6891a2f8e05af687c845c474bee

SHA512
add80ec9af0d3047cca1279f3712cf615aeaf1657344c6b39fe0fe3828680fad3a5d7299ed3a5051d4fcc46b4d6f9d63a6e27a5576f28a22d78eae00b9e429ee

Download Submit
memory/2084-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-78-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-55-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2428-22-0x0000000000BA0000-0x0000000000C42000-memory.dmp

Filesize
648KB

Download
memory/2428-35-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

Filesize
4KB

Download
memory/2428-18-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2428-21-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2428-2-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/2428-1-0x0000000000DC0000-0x0000000000E18000-memory.dmp

Filesize
352KB

Download
memory/2428-20-0x0000000000B70000-0x0000000000B9A000-memory.dmp

Filesize
168KB

Download
memory/2428-3-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing