lokibot | 193e8868bf9fbb4fc5edb8a0e2400796ee644114d8a401c8550ce0aa958665ac

Analysis

max time kernel
136s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi
Size

428KB
MD5

cd23b9710a6f3bddf569663eca410316
SHA1

26afee2a515aa7c0d2ab691fadd85bfc948dcfbe
SHA256

193e8868bf9fbb4fc5edb8a0e2400796ee644114d8a401c8550ce0aa958665ac
SHA512

789589860b13b580604be4d7127bc340cc0d29bcf8e6cb6a9259bbf4623033f96addc41b1df41850ee273c9e642730cff5dbc54d75171bdf9caa727cd4ab13cd
SSDEEP

12288:sEfBZl1vvNQSnTlBZl1vvNQSnTnHrpq0sU5:sEJ1vvNQQTz1vvNQQTNq0x

Score

10^/10

lokibot collection credential_access discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://pms-ne.kr/ikloki/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSIED6E.tmp
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSIED6E.tmp
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSIED6E.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 2196	4244	MSIED6E.tmp	105

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED6E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ec83.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ec83.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4244	MSIED6E.tmp
2196	MSIED6E.tmp

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1728	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIED6E.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000096fabf83e47a2dea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000096fabf830000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090096fabf83000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d96fabf83000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000096fabf8300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3380	msiexec.exe
3380	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	3380	msiexec.exe
Token: SeCreateTokenPrivilege	1728	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1728	msiexec.exe
Token: SeLockMemoryPrivilege	1728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1728	msiexec.exe
Token: SeMachineAccountPrivilege	1728	msiexec.exe
Token: SeTcbPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeLoadDriverPrivilege	1728	msiexec.exe
Token: SeSystemProfilePrivilege	1728	msiexec.exe
Token: SeSystemtimePrivilege	1728	msiexec.exe
Token: SeProfSingleProcessPrivilege	1728	msiexec.exe
Token: SeIncBasePriorityPrivilege	1728	msiexec.exe
Token: SeCreatePagefilePrivilege	1728	msiexec.exe
Token: SeCreatePermanentPrivilege	1728	msiexec.exe
Token: SeBackupPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeShutdownPrivilege	1728	msiexec.exe
Token: SeDebugPrivilege	1728	msiexec.exe
Token: SeAuditPrivilege	1728	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1728	msiexec.exe
Token: SeChangeNotifyPrivilege	1728	msiexec.exe
Token: SeRemoteShutdownPrivilege	1728	msiexec.exe
Token: SeUndockPrivilege	1728	msiexec.exe
Token: SeSyncAgentPrivilege	1728	msiexec.exe
Token: SeEnableDelegationPrivilege	1728	msiexec.exe
Token: SeManageVolumePrivilege	1728	msiexec.exe
Token: SeImpersonatePrivilege	1728	msiexec.exe
Token: SeCreateGlobalPrivilege	1728	msiexec.exe
Token: SeBackupPrivilege	2188	vssvc.exe
Token: SeRestorePrivilege	2188	vssvc.exe
Token: SeAuditPrivilege	2188	vssvc.exe
Token: SeBackupPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeDebugPrivilege	4244	MSIED6E.tmp
Token: SeBackupPrivilege	4180	srtasks.exe
Token: SeRestorePrivilege	4180	srtasks.exe
Token: SeSecurityPrivilege	4180	srtasks.exe
Token: SeTakeOwnershipPrivilege	4180	srtasks.exe
Token: SeBackupPrivilege	4180	srtasks.exe
Token: SeRestorePrivilege	4180	srtasks.exe
Token: SeSecurityPrivilege	4180	srtasks.exe
Token: SeTakeOwnershipPrivilege	4180	srtasks.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeDebugPrivilege	2196	MSIED6E.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1728	msiexec.exe
1728	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4180	3380	msiexec.exe	99
PID 3380 wrote to memory of 4180	3380	msiexec.exe	99
PID 3380 wrote to memory of 4244	3380	msiexec.exe	101
PID 3380 wrote to memory of 4244	3380	msiexec.exe	101
PID 3380 wrote to memory of 4244	3380	msiexec.exe	101
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105
PID 4244 wrote to memory of 2196	4244	MSIED6E.tmp	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSIED6E.tmp

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSIED6E.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\Installer\MSIED6E.tmp
  "C:\Windows\Installer\MSIED6E.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\Installer\MSIED6E.tmp
    "C:\Windows\Installer\MSIED6E.tmp"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ec86.rbs

Filesize
663B

MD5
8ced906c5f3e10f42d69e9e5b2ab2b41

SHA1
e5b9118ceab68e86a66184102986469544efad43

SHA256
fbdfa46be7c05ace6aea2c43003709564bbecddb5a29c4fb79708b66e80493c4

SHA512
da5d8a7854b62191e7dd9790a09bd9dd4ae0af25a2bc31cbc1b533e823bacd55e9c64e4bdf0c9d964e353f5c53109977d3367ec30d9f1ad6c57033f93ab15a12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\0f5007522459c86e95ffcc62f32308f1_03d68389-5a68-4d9e-92ac-47b927e624dd

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\0f5007522459c86e95ffcc62f32308f1_03d68389-5a68-4d9e-92ac-47b927e624dd

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Windows\Installer\MSIED6E.tmp

Filesize
401KB

MD5
42f0ce29970a9ab24c4d01d061091bca

SHA1
c871ab752d547956b4ea1f3944b3b32a793e7112

SHA256
a8b1fd6c71325bc5a80c2a175dfcb39fddc77b2125f8065c63636dfdff9bab7f

SHA512
6b9d538b41ff821f6b95d0722c76fd2d940053990e7d782ba8f39fc71e357ed655528361cc7e961b7bc141ac4be38e926102876ecfd4cd22600fa87a97f538ad

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
bd798e99ace3533989f0203e961e8478

SHA1
9c0383060520b8fdaf9e9c5c498beaeca54928ab

SHA256
1a2521fdcf1446bb36c5d3a352f75751b1244310a6b48b472167a1063dec8708

SHA512
637dee315071646895a778ad8a7a2b520ba43dd6c2322e5d2bf3f73f504cf9b0a04ad8ca1042822f2873a220120524d874d0d1148a0a083a21a3bcb05809c496

Download Submit
\??\Volume{83bffa96-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{aedb2393-bb6f-471a-8928-6092d5a99f1e}_OnDiskSnapshotProp

Filesize
6KB

MD5
7e28105e28fe7785eee990b5fff334f6

SHA1
632e8c21e886a40db7398e29248daf6245815aad

SHA256
48dacdce876e37b39ede1c5293d31e57b4eeae06634c33a7bcc25ea8486c4faf

SHA512
2d66749e66458bc805acda64195576f660958a66483d920734ec93d9b99aa6a4a50191c6ee12661878be7433c77c039dde80e74c4d1b2e683933123ccba2cb6e

Download Submit
memory/2196-20-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2196-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4244-14-0x0000000004920000-0x0000000004942000-memory.dmp

Filesize
136KB

Download
memory/4244-19-0x0000000005FD0000-0x000000000606C000-memory.dmp

Filesize
624KB

Download
memory/4244-18-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/4244-17-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/4244-13-0x0000000004940000-0x000000000495A000-memory.dmp

Filesize
104KB

Download
memory/4244-12-0x0000000000090000-0x00000000000FA000-memory.dmp

Filesize
424KB

Download