lokibot | bc38924ca8d6e7c703b6f588a7a465af13282c635ab2ec22db13f80a4c6863a8

Analysis

max time kernel
138s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 12:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe
Size

1.1MB
MD5

a5a6395ad0d4914f4e621f4cf672c74f
SHA1

1dbc5dea962fc371c50eb822379dae7d2018f8f2
SHA256

bc38924ca8d6e7c703b6f588a7a465af13282c635ab2ec22db13f80a4c6863a8
SHA512

3ec4f26546bb42321b768be3ccde85aa1dcb12a2dae59f62bcf831a6c23183174782d71eff8e2821576bd9283d48a7ff72ae5585b8900061abd5c85c578eb073
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaHaHUNWjAGTzCd5:mh+ZkldoPK8YaE/zs

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://178.32.87.238/ayo/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3560 set thread context of 3996	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	93

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 4824	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	90
PID 3560 wrote to memory of 4824	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	90
PID 3560 wrote to memory of 4824	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	90
PID 3560 wrote to memory of 2376	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	91
PID 3560 wrote to memory of 2376	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	91
PID 3560 wrote to memory of 2376	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	91
PID 3560 wrote to memory of 5044	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	92
PID 3560 wrote to memory of 5044	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	92
PID 3560 wrote to memory of 5044	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	92
PID 3560 wrote to memory of 3996	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	93
PID 3560 wrote to memory of 3996	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	93
PID 3560 wrote to memory of 3996	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	93
PID 3560 wrote to memory of 3996	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	93
PID 3560 wrote to memory of 3996	3560	a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5a6395ad0d4914f4e621f4cf672c74f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4824
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5044
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4220 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1240

Network

DNS

76.234.34.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.234.34.23.in-addr.arpa

IN PTR

Response

76.234.34.23.in-addr.arpa

IN PTR

a23-34-234-76deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

82.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.177.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN A

Response

chromewebstore.googleapis.com

IN A

172.217.169.10

chromewebstore.googleapis.com

IN A

142.250.179.234

chromewebstore.googleapis.com

IN A

216.58.213.10

chromewebstore.googleapis.com

IN A

172.217.169.42

chromewebstore.googleapis.com

IN A

142.250.178.10

chromewebstore.googleapis.com

IN A

142.250.187.234

chromewebstore.googleapis.com

IN A

172.217.16.234

chromewebstore.googleapis.com

IN A

216.58.212.234

chromewebstore.googleapis.com

IN A

142.250.200.42

chromewebstore.googleapis.com

IN A

216.58.201.106

chromewebstore.googleapis.com

IN A

142.250.200.10

chromewebstore.googleapis.com

IN A

142.250.180.10

chromewebstore.googleapis.com

IN A

142.250.187.202

chromewebstore.googleapis.com

IN A

172.217.169.74

chromewebstore.googleapis.com

IN A

216.58.204.74
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN Unknown

Response
DNS

10.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.169.217.172.in-addr.arpa

IN PTR

Response

10.169.217.172.in-addr.arpa

IN PTR

lhr25s26-in-f101e100net
DNS

92.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.16.208.104.in-addr.arpa

IN PTR

Response
DNS

92.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.16.208.104.in-addr.arpa

IN PTR

96.16.110.114:80

260 B
5
178.32.87.238:80

RegAsm.exe

260 B
5
13.107.253.64:443

46 B
40 B
1
1
178.32.87.238:80

RegAsm.exe

260 B
5
178.32.87.238:80

RegAsm.exe

260 B
5
178.32.87.238:80

RegAsm.exe

260 B
5
172.217.169.10:443

chromewebstore.googleapis.com

tls

2.0kB
7.9kB
16
17
178.32.87.238:80

RegAsm.exe

260 B
5
178.32.87.238:80

RegAsm.exe

260 B
5

8.8.8.8:53

76.234.34.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

76.234.34.23.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

82.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

82.177.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
315 B
1
1

DNS Request

chromewebstore.googleapis.com

DNS Response

172.217.169.10

142.250.179.234

216.58.213.10

172.217.169.42

142.250.178.10

142.250.187.234

172.217.16.234

216.58.212.234

142.250.200.42

216.58.201.106

142.250.200.10

142.250.180.10

142.250.187.202

172.217.169.74

216.58.204.74
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
132 B
1
1

DNS Request

chromewebstore.googleapis.com
8.8.8.8:53

10.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

10.169.217.172.in-addr.arpa
8.8.8.8:53

92.16.208.104.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

92.16.208.104.in-addr.arpa

DNS Request

92.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/3560-0-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/3996-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3996-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3996-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.