Overview

overview

10

Static

static

3

9f046bf891...18.exe

windows7-x64

10

9f046bf891...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

zjvb5chyh04at.dll

windows7-x64

3

zjvb5chyh04at.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f046bf891c55cb358cc4f1c25892a12_JaffaCakes118

  • Size

    311KB

  • Sample

    240816-td291stbrg

  • MD5

    9f046bf891c55cb358cc4f1c25892a12

  • SHA1

    94142e8d8eeee0952bcdd1dd3ff87be2decddd1d

  • SHA256

    0e834bafb88b050fa0c9f41ba37c204ce3cf1aa68fa3793ab607d46c7fbd8f89

  • SHA512

    11b629dad3c7d0fcb42043e7c826270b307b5ee3346b050c402e7d77f3a16abd5960045ad68260953c1f96d178649b0f3de701de313612217699c9c2f52dda7a

  • SSDEEP

    6144:0qjIctnTweYo9pNREL3qAUhQSeMU0iUykt:hxweYgbEeDCMU0iUl

Score
10/10
lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/fA33po5ZHfzav

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      9f046bf891c55cb358cc4f1c25892a12_JaffaCakes118

    • Size

      311KB

    • MD5

      9f046bf891c55cb358cc4f1c25892a12

    • SHA1

      94142e8d8eeee0952bcdd1dd3ff87be2decddd1d

    • SHA256

      0e834bafb88b050fa0c9f41ba37c204ce3cf1aa68fa3793ab607d46c7fbd8f89

    • SHA512

      11b629dad3c7d0fcb42043e7c826270b307b5ee3346b050c402e7d77f3a16abd5960045ad68260953c1f96d178649b0f3de701de313612217699c9c2f52dda7a

    • SSDEEP

      6144:0qjIctnTweYo9pNREL3qAUhQSeMU0iUykt:hxweYgbEeDCMU0iUl

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

    • SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    • SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    • SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    • SSDEEP

      192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      zjvb5chyh04at.dll

    • Size

      11KB

    • MD5

      498ef70f50583187d76608713afaa102

    • SHA1

      095a7366542b29b6ff5fe27e80bbfc1984ea7d4d

    • SHA256

      0e6e593ac3d1f1ea997e4e7902b04a3657cbd048a6acfbe163a9139eef5d27f8

    • SHA512

      baebe5efc6a3e90908ee0d6b8ab2612def333ad888025e65b61e05681ea73e13674ed87980add60a28a5f3a29be0954490485886770d5958538ee2f5bba752a6

    • SSDEEP

      192:jH3dW30dtmS2rSidCmD3TAZ7PukQurM0+b1pH45SNdxNoIBqnn:4OUrYrZ7oSib/YY

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks