Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118

  • Size

    632KB

  • Sample

    240918-q7j4rathnf

  • MD5

    e9433fb6d9b9c922aae9b538e21fd1ce

  • SHA1

    4c144946291926c79cd79df4b724bcc9085d385f

  • SHA256

    8eee5bc1ed923773f6e9af1b39ff27e6b9de5586dc2957dc7284c4c145bd543e

  • SHA512

    196e444a941940b9d79c8425a8c8386ba353adbb39b88d6d1738537cd1dc4b7547399b2c1ed905f847d5f7e9d60221e4ac1b6d435e3888acd43e39240322bbca

  • SSDEEP

    12288:PON9i8AuXrQSY+VqgDU9hxgP88mH8zUNO4xRxhH3EVEqYPj2:PON9iLwwgIhxgPdm3NhxNEV8S

Malware Config

Extracted

Family

lokibot

C2

http://majesticraft.com/ema/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118

    • Size

      632KB

    • MD5

      e9433fb6d9b9c922aae9b538e21fd1ce

    • SHA1

      4c144946291926c79cd79df4b724bcc9085d385f

    • SHA256

      8eee5bc1ed923773f6e9af1b39ff27e6b9de5586dc2957dc7284c4c145bd543e

    • SHA512

      196e444a941940b9d79c8425a8c8386ba353adbb39b88d6d1738537cd1dc4b7547399b2c1ed905f847d5f7e9d60221e4ac1b6d435e3888acd43e39240322bbca

    • SSDEEP

      12288:PON9i8AuXrQSY+VqgDU9hxgP88mH8zUNO4xRxhH3EVEqYPj2:PON9iLwwgIhxgPdm3NhxNEV8S

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks