Overview

overview

10

Static

static

10

bce1094e83...18.exe

windows7-x64

10

bce1094e83...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bce1094e83674ae3842fa1fb4c3ba371_JaffaCakes118.exe

  • Size

    311KB

  • MD5

    bce1094e83674ae3842fa1fb4c3ba371

  • SHA1

    b62fa5dc19501c16e54ff69fbe5af1a269b47669

  • SHA256

    6ba636f3a03f508967c11d0643bf9acaf94c9e41e7210f0f9451a6b9fa98c1d6

  • SHA512

    dbdc5d225e0e4cee4957cdf4f5a2f7a09b32e745db45b1eb0ca2dfa441aafb94c780ce6ffc61a4b0cdb0f0d04f293323409e7be45bd18eb0c092b286784af50f

  • SSDEEP

    6144:zvEN2U+T6i5LirrllHy4HUcMQY6Mcd6bUfFdXThUq:zENN+T5xYrllrU7QY6MwPXKq

Score
10/10
lokibotcollectionevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://loki-panels.cf/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bce1094e83674ae3842fa1fb4c3ba371_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bce1094e83674ae3842fa1fb4c3ba371_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1316
    • \??\c:\users\admin\appdata\local\temp\bce1094e83674ae3842fa1fb4c3ba371_jaffacakes118.exe 
      c:\users\admin\appdata\local\temp\bce1094e83674ae3842fa1fb4c3ba371_jaffacakes118.exe 
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3740
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4144
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4244
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3568
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3168
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4976
            • C:\Windows\SysWOW64\at.exe
              at 16:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:4548
              • C:\Windows\SysWOW64\at.exe
                at 16:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:1388
                • C:\Windows\SysWOW64\at.exe
                  at 16:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:452

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\bce1094e83674ae3842fa1fb4c3ba371_jaffacakes118.exe 
          Filesize

          104KB

          MD5

          6965ba8e62c7b6427c41832e888bdaf7

          SHA1

          a0d85da2a11560cb17f7ab5e9ec377533a149cea

          SHA256

          64832feab6811ef59955140e739c721d57058eae81c8772a93e6d299caf123eb

          SHA512

          c024f1b41c5ab5441792b1e2f748968f93797b4d75da12887c2c048e142ab79409ce4709ed2aa2cc580c7dabd6479ce2ca72ff424d405f37cdb076b35c03f654

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          206KB

          MD5

          1fb4125caf3aa42357c6ebb20ef1c1f9

          SHA1

          869efda8dc64341e324eff646529fbbf88940e23

          SHA256

          5204d7bf4cfb5caceda2f8cc90e9e95bcc8bfb703a87eca1b08d3101a4b5a3f2

          SHA512

          695674cefeac3c4a820efd197d6881d226e744510c9e2fad1135f2cba7cd1f3538049ef52c27daec02f95e6380e288b4845add52564084a6e7d9c4144cbf7a2d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
          Filesize

          46B

          MD5

          d898504a722bff1524134c6ab6a5eaa5

          SHA1

          e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

          SHA256

          878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

          SHA512

          26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
          Filesize

          46B

          MD5

          c07225d4e7d01d31042965f048728a0a

          SHA1

          69d70b340fd9f44c89adb9a2278df84faa9906b7

          SHA256

          8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

          SHA512

          23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          207KB

          MD5

          49085a40ecf0e25cc5f148e74279b5bd

          SHA1

          89716dae47236bfa8f53d74b4b283b12e1185eb7

          SHA256

          659c9c05560420747d171e010bb69dcc1041b83180b2c029f0604c2d3894c0e2

          SHA512

          eb3aa136a7808e082e430cdaaa948931fb7a9009b2467c3f11c163fc6285451fd53de70615a6b82db7ee7d55c3dc8f1e4a55f9f6cd174706449d165be3b354e6

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          206KB

          MD5

          2a2cc6f1cc6b9d59f1525f86315d50ca

          SHA1

          92ffc89847aa90063062dc2b9843ce0cec6c6649

          SHA256

          b43bfe3e096c201814a6c758e710009bc6705017914acea9dd0e04adbb71ef76

          SHA512

          a608a4ee2289a3f735b25455941725e605f27a32f59c88677fc6acef31ba4ddb5729e72b5323e7d6d56b21a960d68bf132e2de281a2366643e74f6952625e3e7

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          206KB

          MD5

          00a144bfc2eefd6076d39b7dfda2edb9

          SHA1

          093aa2b2c4664fd4a5c6e3f6f5bbaf1ef673a020

          SHA256

          c871753ede97dbc32739638fe2752efb984e87be7191d52668d3851140e46e36

          SHA512

          6f11fc53ed0bc3975dd66bb06289ec3d023dc859b44414e818729800b6dc80d47baba707ed0ae734a5adf9a0f2c5b53d565b1e676dd0f52659d89711dce5fb41

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          206KB

          MD5

          deaf588a76349ec425dd16907394acb3

          SHA1

          63e43b4ed39879385a28b03a6199c49b9e94fbb4

          SHA256

          5c30193af251d91365a039f295b02f42672ecd688357316ebf270f9ae29ed219

          SHA512

          e4d1dcfa37da41b4144d863fe6c89df474358aeb2654aeb5c5a3bc69676360d473b51c67dd70bd21600453a44d9366b5546da25e903c85cf6a00ed54ebff2613

          Download Submit

        • memory/3740-86-0x0000000000400000-0x00000000004A2000-memory.dmp

          Filesize

          648KB

          Download