Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e89cb61349a6bab43f582b9087283007_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240918-ja8mhszcrm

  • MD5

    e89cb61349a6bab43f582b9087283007

  • SHA1

    5c212383197a2eda5c09bb524789dba6913dc7e5

  • SHA256

    3e82b45c9e0c1819eea7baad7fce402472f70d23023490e364b0fb213bbbedf5

  • SHA512

    669b966a0ea1f083b12f02c1d96fe229ab12f412698d3d0d7c8c012c754cd88425302f17196a769401c20afefe894da58884e91070e2ec4973c7b405b5d923bc

  • SSDEEP

    24576:adHPXnvcC964ukjOs1iq8ZqI1IT96teRRRRRRRRRRRRRRRRRRRm7pxV2AeC+H:a9vvM4sHq9QBFM

Malware Config

Extracted

Family

lokibot

C2

http://avebx.cf/sleek2/cat.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      e89cb61349a6bab43f582b9087283007_JaffaCakes118

    • Size

      1.1MB

    • MD5

      e89cb61349a6bab43f582b9087283007

    • SHA1

      5c212383197a2eda5c09bb524789dba6913dc7e5

    • SHA256

      3e82b45c9e0c1819eea7baad7fce402472f70d23023490e364b0fb213bbbedf5

    • SHA512

      669b966a0ea1f083b12f02c1d96fe229ab12f412698d3d0d7c8c012c754cd88425302f17196a769401c20afefe894da58884e91070e2ec4973c7b405b5d923bc

    • SSDEEP

      24576:adHPXnvcC964ukjOs1iq8ZqI1IT96teRRRRRRRRRRRRRRRRRRRm7pxV2AeC+H:a9vvM4sHq9QBFM

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks