Overview

overview

10

Static

static

3

efceaf7e2e...18.exe

windows7-x64

10

efceaf7e2e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    efceaf7e2ef3571994926d4590f2e558_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240921-pswnkasdjg

  • MD5

    efceaf7e2ef3571994926d4590f2e558

  • SHA1

    cebdfdbc028d997d7ca7a144a41d037f1d2c188f

  • SHA256

    68e514e18e7353c018dd48e6f237e5f7c57def18a357156ffca7dd3826ee7426

  • SHA512

    4719430114276dd1771de4ce0674eeac651c3f4f87b651c2a75f3380a3a9dc6d1699298d1e02043fbbef4f29dfaf1ce1c0a67d3c79f62294a6ce478da51cc121

  • SSDEEP

    24576:XYmA5I99jizYqwmwFyb4OYLhHkpBDm8S78aJ9nLb3dNNNNm:XYmt9jicfmrb4OYlkpBDmTPPn9NNNN

Score
10/10
lokibotponycollectioncredential_accessdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://devhaevents.us/22334455/anel/alive/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

pony

C2

http://cn-list.info/tosibe/panel/gate.php

Attributes
  • payload_url

    http://cn-list.info/tosibe/panel/file.exe

Targets

    • Target

      efceaf7e2ef3571994926d4590f2e558_JaffaCakes118

    • Size

      1.1MB

    • MD5

      efceaf7e2ef3571994926d4590f2e558

    • SHA1

      cebdfdbc028d997d7ca7a144a41d037f1d2c188f

    • SHA256

      68e514e18e7353c018dd48e6f237e5f7c57def18a357156ffca7dd3826ee7426

    • SHA512

      4719430114276dd1771de4ce0674eeac651c3f4f87b651c2a75f3380a3a9dc6d1699298d1e02043fbbef4f29dfaf1ce1c0a67d3c79f62294a6ce478da51cc121

    • SSDEEP

      24576:XYmA5I99jizYqwmwFyb4OYLhHkpBDm8S78aJ9nLb3dNNNNm:XYmt9jicfmrb4OYlkpBDmTPPn9NNNN

    Score
    10/10
    lokibotponycollectioncredential_accessdiscoveryratspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks