lokibot | 4b92829a80befc676cf6f43fc5b7af9037a23e8d4f33b21032988f34ef7b15cc

General

Target

f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe
Size

514KB
MD5

f32385b2aaaf03a2709f4176ef1d3041
SHA1

0a5ecb3938d96828c036888ebcd17dc771cdc545
SHA256

4b92829a80befc676cf6f43fc5b7af9037a23e8d4f33b21032988f34ef7b15cc
SHA512

dd7e8f2bfe832e671eeab01afd8eea9199fb9d2fc5f46c31f46db2ccd41430b55fab85f84f5bbcb21b8b296bad0a9b433404c99deb6d1503302f7e0c540abc9d
SSDEEP

6144:WZ6BmGOhy1aImaiwSA4wp+vXTpCRLu2xwsYSBAz:W0wy1aIpi1j/Tp+u3sk

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/emmagroup/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe
2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe
Token: SeDebugPrivilege	2720	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2808	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2808	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2808	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2808	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2628	2808	csc.exe	32
PID 2808 wrote to memory of 2628	2808	csc.exe	32
PID 2808 wrote to memory of 2628	2808	csc.exe	32
PID 2808 wrote to memory of 2628	2808	csc.exe	32
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2720	2992	f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f32385b2aaaf03a2709f4176ef1d3041_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4b4aalss\4b4aalss.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84AA.tmp" "c:\Users\Admin\AppData\Local\Temp\4b4aalss\CSC6EA28FB9E8AC4DE78CDE84FEBA726699.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b4aalss\4b4aalss.dll

Filesize
7KB

MD5
a9d4f51dc2bd66e517d225aaa5bd002d

SHA1
d9083148cc2ecae7353ec874bde33f48f8a63530

SHA256
87bf0d62f223134bbfb8c39442ffa8560e71bdd2c7e3084828b8ed50564ae91b

SHA512
00a485cab29ac03a391ac6092d4808c2b46f1f77ca8b80563e0dea57233bdca95e19596b9a9ea67d2a3f4f14cde60d8617f4f8c6b0512997b89476e969cace40

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b4aalss\4b4aalss.pdb

Filesize
19KB

MD5
242ecff4f6b1da64e17d0adade1ef8de

SHA1
02232c4c23d1700553e5c2bb4bf7437121bfc5e7

SHA256
e4fd631638336bbaf8f63573a7573a1e67d4ae07d5edc08b2d1cb8639823fe2d

SHA512
16e80289d4380150e318ed7521517ad903d92699a0c4505d5be382aaa6db919c37b06bd06b7e4b9b1a6f92dc069a86b2aba3cf5aedec031e61fdf613eb56f4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84AA.tmp

Filesize
1KB

MD5
8fe56239e2c4ff3a9794d081ab4a5bd4

SHA1
8cc5bf5dd61a040f95d9ce8e0a9d19da6ffa73ae

SHA256
1336d5511a124305e0ef4f5939f69d39dc4bf703a3d8922be85abddd5e454faf

SHA512
457c97630cedf1e7854361b017bfeec906476c2d707a8ab6d447d1c5a1a09b31d403ecf55567c63561936886d6ac5df4a8c34336424d019d497559bd31fb8e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4b4aalss\4b4aalss.0.cs

Filesize
4KB

MD5
8906b6ce921e9facbab79b01c7facc6b

SHA1
ac8615f9618f7506627e1ece6ee562b5bde509f7

SHA256
c7ec507aa87758ba11185778e2091d8343f895023ec93f7d15f673701163f32a

SHA512
deeb535d4a4960dc0d050ca8c930dc01925922b4c946f01c048e41bf9772361f5e591114a291021e414165385b4da1e7a25431192da77ccf722be4f3ff2c74d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4b4aalss\4b4aalss.cmdline

Filesize
312B

MD5
6091d2d461c3b98a90b4b21b596007eb

SHA1
5bd93164c3e05eb64c0b5fd17a3cac0714f017d9

SHA256
b11efc3b2420e39c36e69aaaf33e8a64a9a92bf4caa30a66edfce87b6eb465fd

SHA512
7beed8b0ead6ac4d5613c9d6be43c44e2d36789ac6ca59997005b4bd6bf4c5d5d4e9de8b863477452cd84a2e0011b2544b6703d78f76ec6b8bd5e09c0353df42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4b4aalss\CSC6EA28FB9E8AC4DE78CDE84FEBA726699.TMP

Filesize
1KB

MD5
dcb6bc79a5aa7947ba9391d93cbfe6ac

SHA1
cf2a44634d5222534e350b2972285a3083a3994e

SHA256
9121416ea5cbb3a6cd4bd8da528528ef9cdd62efe286d4ff641c5cb76d00b619

SHA512
0d43d32187eb71adc75f6e657b55b8cada8e2720c84f43b8e8938e5b6620282489481a741efc4f8b1330e350b77e04766ecff1c14941a85793648a5df8cb7ab9

Download Submit
memory/2720-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-58-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-30-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-32-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2720-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2992-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/2992-34-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-18-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2992-22-0x00000000004A0000-0x0000000000542000-memory.dmp

Filesize
648KB

Download
memory/2992-21-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2992-2-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/2992-1-0x0000000001270000-0x00000000012C4000-memory.dmp

Filesize
336KB

Download
memory/2992-20-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/2992-3-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing