General

  • Target

    5f0c47ef87ccbe34bb6f84448efb3a35_JaffaCakes118

  • Size

    774KB

  • Sample

    240720-e8q3xawfrm

  • MD5

    5f0c47ef87ccbe34bb6f84448efb3a35

  • SHA1

    6924efcc70aef057a3b460aff90bdb6949e65477

  • SHA256

    b3e414f2ca80ddc1a7ccc59dda87f0b141f0dafd3b1879b1ea1e3c97c6829ea5

  • SHA512

    bc60a4710e242aa697b721a553ef26ee82aedf2aded25ca43f02bd23f305c5cdfbb1cd8cc2b289e39686bd5a004213e5e1901f814837bfaecc6407050f782f7f

  • SSDEEP

    24576:OD4VHfQe6ZyWshg+qbZxTZZWunAWvlCaO5difB8HntoRKRBJPD:SFtidQGHCKRB

Malware Config

Extracted

Family

lokibot

C2

http://jlpack.email/file/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      5f0c47ef87ccbe34bb6f84448efb3a35_JaffaCakes118

    • Size

      774KB

    • MD5

      5f0c47ef87ccbe34bb6f84448efb3a35

    • SHA1

      6924efcc70aef057a3b460aff90bdb6949e65477

    • SHA256

      b3e414f2ca80ddc1a7ccc59dda87f0b141f0dafd3b1879b1ea1e3c97c6829ea5

    • SHA512

      bc60a4710e242aa697b721a553ef26ee82aedf2aded25ca43f02bd23f305c5cdfbb1cd8cc2b289e39686bd5a004213e5e1901f814837bfaecc6407050f782f7f

    • SSDEEP

      24576:OD4VHfQe6ZyWshg+qbZxTZZWunAWvlCaO5difB8HntoRKRBJPD:SFtidQGHCKRB

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks