lokibot | 8eee5bc1ed923773f6e9af1b39ff27e6b9de5586dc2957dc7284c4c145bd543e

General

Target

e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
Size

632KB
MD5

e9433fb6d9b9c922aae9b538e21fd1ce
SHA1

4c144946291926c79cd79df4b724bcc9085d385f
SHA256

8eee5bc1ed923773f6e9af1b39ff27e6b9de5586dc2957dc7284c4c145bd543e
SHA512

196e444a941940b9d79c8425a8c8386ba353adbb39b88d6d1738537cd1dc4b7547399b2c1ed905f847d5f7e9d60221e4ac1b6d435e3888acd43e39240322bbca
SSDEEP

12288:PON9i8AuXrQSY+VqgDU9hxgP88mH8zUNO4xRxhH3EVEqYPj2:PON9iLwwgIhxgPdm3NhxNEV8S

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://majesticraft.com/ema/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
Token: SeDebugPrivilege	2692	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1332	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	31
PID 2316 wrote to memory of 1332	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	31
PID 2316 wrote to memory of 1332	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	31
PID 2316 wrote to memory of 1332	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	31
PID 1332 wrote to memory of 588	1332	csc.exe	33
PID 1332 wrote to memory of 588	1332	csc.exe	33
PID 1332 wrote to memory of 588	1332	csc.exe	33
PID 1332 wrote to memory of 588	1332	csc.exe	33
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2692	2316	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ckmhtp1\0ckmhtp1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C3.tmp" "c:\Users\Admin\AppData\Local\Temp\0ckmhtp1\CSC9F666340C2364098A1DFD952C3C6CFB3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:588
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ckmhtp1\0ckmhtp1.dll

Filesize
20KB

MD5
6dccbea714fb5c32b7e1a404c4a3b838

SHA1
3a267eb84fce8b9816e4def15e020f25607d8e04

SHA256
fa42f3e0a7cb5c787f33ccc0500f7baa42e500f4f1336067df31d20626939d41

SHA512
4887233f2d2e8b0d543a1b09d1cf53993cd22ab2121285c3fe3be9fa46a744ccfd1919b5b407b73dfbc957a5770a5b293564e890347f3b8182984221b35c3ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ckmhtp1\0ckmhtp1.pdb

Filesize
67KB

MD5
625d7d1c4d5a25bdd345ac10d1bb7339

SHA1
595f0737aa249695d86f04a59dcd59dcd6a9af77

SHA256
50d3d0fa01ba7f4afa51ed3a048e46fa272806913ed0a8415dd3000e63944c14

SHA512
2f45c16e7007a761a6675ed592433ea0987536f72d73f37375cfa5d696c136869ba91d670fa0c94d20d92c8d4f9d0e1e774495e21a358b52172128e3ccc2a249

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3C3.tmp

Filesize
1KB

MD5
7f6f5a175a0392f4c452ced82f092f8f

SHA1
ab1fa6f467b7e9b122dbf80affe6705e92692e54

SHA256
df3dec3c9b2623b25eea7cd6f6d94a7011ceb0afc8c700386de2977bc2463c4e

SHA512
46e428ada5834c52816232acf4ee3fad22a154daaa0f3c336c2f92fd6e8bdf5aac13af38f3677ace96e8976780d149efb2a32b62f73457c9c794849dcaf80d0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1488793075-819845221-1497111674-1000\0f5007522459c86e95ffcc62f32308f1_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1488793075-819845221-1497111674-1000\0f5007522459c86e95ffcc62f32308f1_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ckmhtp1\0ckmhtp1.0.cs

Filesize
45KB

MD5
60c75a16554822c31d705d4b28fa3a2d

SHA1
72f4b55135063bfc7f116956bb3a3c79d03cb2ba

SHA256
b38b82c040dbeb3322b88780253e8d6b8cac5feb72d6805393c706319a6353ff

SHA512
fa35698b7a6ed0ed0a4dc6923dc5425af207b65930404d6fb623395d79ab3e85bffba453f4494a9e3e04f42ac8981b029fb3683b117ddd9de8a1d2237f5bd732

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ckmhtp1\0ckmhtp1.cmdline

Filesize
312B

MD5
6e3d885131ea79d6b978784eb6a97920

SHA1
8cbb26cdcc44b9b93228e3b9860733b505b2bda4

SHA256
2b0d63a0d8b0d3d553fc3cf1467397b4d3038dd6d237dd0ffb4086ef2974cb99

SHA512
88ba91bb57372cd4110d95682c34090312e014e02bbb3b8ded183d744388603e56176c2307083742aa7c2b8b163a94abce0940fec54ef43563e6dcd26729235f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ckmhtp1\CSC9F666340C2364098A1DFD952C3C6CFB3.TMP

Filesize
1KB

MD5
4554686ccfdcffd18f3ccffe2365d9af

SHA1
7843ef134908b613c53af58ac28ec96c4ddbe836

SHA256
182c71bb7cf74da6ac939952c89e0077d25686e8699ed2787344c01ab0e7c26e

SHA512
3327490e260659bfe068a44eb0fdfad6b454e480976b8c24c55554351975484da43a6569794d449d1456608de5fc4314454a91f427be502c3d13a53a196c76c0

Download Submit
memory/2316-21-0x00000000005C0000-0x0000000000662000-memory.dmp

Filesize
648KB

Download
memory/2316-35-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-19-0x0000000000690000-0x00000000006BA000-memory.dmp

Filesize
168KB

Download
memory/2316-20-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2316-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/2316-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2316-1-0x0000000000F90000-0x0000000001036000-memory.dmp

Filesize
664KB

Download
memory/2316-4-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-80-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing