lokibot | 699af86e7899b90b59a24daae57f0fa860bda79c0256e539847ffaf33589b7d7

General

Target

9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
Size

332KB
MD5

9e860f66b980168829ab013924b0df6e
SHA1

c4bb460d490634155ae089641dd048d4bbfde15f
SHA256

699af86e7899b90b59a24daae57f0fa860bda79c0256e539847ffaf33589b7d7
SHA512

034c78512912aa6ab0ad6cae9d1df22ad5de55f7353bbb8d809cf3afe4a2083d0f6d38c237e5a4d5d0b4d241f6ee08ead2d2a555d7309685a54cad8b9c39dbe6
SSDEEP

6144:sfpuJGCZ9nVJb3EsWDlgfej/zEGOHb6+a:/JB9VJbFsIE

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/glory/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4128 set thread context of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
Token: SeDebugPrivilege	2584	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 1456	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	80
PID 4128 wrote to memory of 1456	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	80
PID 4128 wrote to memory of 1456	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	80
PID 1456 wrote to memory of 4840	1456	csc.exe	82
PID 1456 wrote to memory of 4840	1456	csc.exe	82
PID 1456 wrote to memory of 4840	1456	csc.exe	82
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2584	4128	9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e860f66b980168829ab013924b0df6e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k4li0jhu\k4li0jhu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47A8.tmp" "c:\Users\Admin\AppData\Local\Temp\k4li0jhu\CSCE91A2F4BB5B747A5AF6625757E9D418.TMP"
    3⤵
    PID:4840
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES47A8.tmp

Filesize
1KB

MD5
4ac96a9804cfa2903153d413d672d20d

SHA1
8ce25a97a90d37d2b082d4efeebb3d06fead85db

SHA256
e9a89e5dad30a623c334e9dbd54920a16dce09ff416a1bd5d0db3bce3518e3a7

SHA512
b7d284e97cc2101f461b8eb705230fce4099c0ba480d3d0e877eb63a5ef26770238bebd716cd9b3a2881240297ffc88a6eaf048d414e789d37ac84c2822856b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4li0jhu\k4li0jhu.dll

Filesize
9KB

MD5
d1bb2ed289ca81f565f1335587920dad

SHA1
1742be2024bc26165095a105fe20024451505e86

SHA256
fd1c25f69dd27131fe80bd4a6bbcf0cfbc7cd209e9ed03917683dbc83c30350d

SHA512
291b345c4e45f4a8b6c673500c0675ddae1a711fa6f04e1cd58cf370c408ca5aaf4e5880e8dc422136ba67039cde7c1c349cbefe313edf85bc0b6b43afb89da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4li0jhu\k4li0jhu.pdb

Filesize
25KB

MD5
018a52b3c193cf53eb0dfcf32783730e

SHA1
075c6f4271b10976ab22f4102758c56a2d54dfba

SHA256
7b9c2996f79009e705f44c16aa71f124962b7c081ff64e70641b29b06810f967

SHA512
c059dc8160a26e1b1c4f3920a2f71489ce6cdf7bf521ec09e54c8b673fc2ac65e4f2fdd37b09ccf834d24d4059310fb29e23f214e2922b584695439dee1ee0e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2539840389-1261165778-1087677076-1000\0f5007522459c86e95ffcc62f32308f1_468f6343-c0e6-4931-9703-30c6539573cb

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2539840389-1261165778-1087677076-1000\0f5007522459c86e95ffcc62f32308f1_468f6343-c0e6-4931-9703-30c6539573cb

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4li0jhu\CSCE91A2F4BB5B747A5AF6625757E9D418.TMP

Filesize
1KB

MD5
c7d39bb63838e947cd3b787e2b47bf36

SHA1
08a0305a91dd637f3315762346d3374b0bcb7377

SHA256
704bcd6c1b3def7ae959cc71f4090af51c1be6b989db46a99630f1fa1c236014

SHA512
3ad5be455d234bc01ea98f8061aaa55a6ac182dfc7e3140b070c50e79702c21b0ed6e68563166999d780dc65c61873ffed1f162e4a09bdd33b1a0d1ebe376bd1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4li0jhu\k4li0jhu.0.cs

Filesize
12KB

MD5
69cf38cc60d4ffc53611a3120ffae24c

SHA1
7cd7f7e803b0ef88f52a6a99463399e433f1326b

SHA256
5bfc0757fc314c19fbeb4dad788455df3d39c1a795c9c3783c5598f9462ce81d

SHA512
a06092e67ead4524411520c8cffe026bb18fe4981c6794616617458e24ed337c6a240ea9ee5b12ae1172a91a5266b0935c1359e9ce58d9792b5f0bc1f135bfc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4li0jhu\k4li0jhu.cmdline

Filesize
312B

MD5
135d20680388e4860b7e44c2b2104698

SHA1
f580f83b68f8ed1ffbe761e221a40f85b2e7f457

SHA256
6c911fb52c002d39ed7f7fc087aa63f23455ff4d0204c4836f1f6310ae3021d5

SHA512
8dcdfcba5812cd0f4a93ac2a98081785351068fa94b9cfb0cc5f2a8c713f71e345a085477bf063dc6e3d4d8b41b76c438f772bc686b1528bd15e39a82d000426

Download Submit
memory/2584-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2584-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2584-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2584-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2584-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4128-24-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/4128-23-0x0000000005000000-0x00000000050A2000-memory.dmp

Filesize
648KB

Download
memory/4128-4-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/4128-22-0x0000000004CD0000-0x0000000004CDC000-memory.dmp

Filesize
48KB

Download
memory/4128-21-0x0000000004CA0000-0x0000000004CCA000-memory.dmp

Filesize
168KB

Download
memory/4128-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/4128-30-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/4128-3-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/4128-2-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/4128-1-0x0000000000180000-0x00000000001D8000-memory.dmp

Filesize
352KB

Download
memory/4128-19-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing