lokibot | a937d51e08c3cf899d69d9e0d7d4f63c2bb82df4760054107eae1a2f6d189b08

General

Target

f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
Size

387KB
MD5

f4d88e9cc556ca0c234310293ac5b037
SHA1

f452b5bdbc4d7a08764dae470a89272061e6eb8a
SHA256

a937d51e08c3cf899d69d9e0d7d4f63c2bb82df4760054107eae1a2f6d189b08
SHA512

a3bfa82f8133fe3159b95868cba40207693ed50dbec34f072ed96797f9e3f3106a746ec28e18e42b8ae16e3de1fcd6c5522b8886d2b1645cb2addad2e90f46d4
SSDEEP

3072:i5UC3t0HIParaeW/qkXKDPMO5Mp8y3MReAG6ZDd2eIcz3BdMz6I72Owzu:0Uct00iPAXCl5MWyWekuCImIBwu

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/glory/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
Token: SeDebugPrivilege	2752	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2392	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2392	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2392	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2392	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2144	2392	csc.exe	33
PID 2392 wrote to memory of 2144	2392	csc.exe	33
PID 2392 wrote to memory of 2144	2392	csc.exe	33
PID 2392 wrote to memory of 2144	2392	csc.exe	33
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2752	3044	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\feui2gpd\feui2gpd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB5A.tmp" "c:\Users\Admin\AppData\Local\Temp\feui2gpd\CSC6648A5AE30E34D019F3DA3636761DD56.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCB5A.tmp

Filesize
1KB

MD5
fce33847501df590535b6ea790d37edd

SHA1
ede1ede41ace8c6bb399030ae85765b5b1532834

SHA256
f499f66a318b73ef8a52507425c1bc5de8389b021566e9fd63be9abf522d96c4

SHA512
d7472e4a75ca6161494087157ab5a8901bcda9626f574cb6c7ade7d1aaa40a172f6fa50d15b31295f6a5446f923880d571cbf7ec82724d277f26c4a2b189e949

Download Submit
C:\Users\Admin\AppData\Local\Temp\feui2gpd\feui2gpd.dll

Filesize
6KB

MD5
a786393702e8f53485cc8a4104057f65

SHA1
ff345f6e0fac5a9e7f25f09653482cdc4dd926f4

SHA256
380ba55aedc04be68d80af989bb50ea035c4581ed0e69dad30a4d01f78b2a15a

SHA512
1c3455646181f27a408ed1397dc989bce1f98f35b8596ebe90395a52ebdff2021b831b569ddcbb31cdeb5a2d064a167031232a8be208e5bcffc715470811fea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\feui2gpd\feui2gpd.pdb

Filesize
15KB

MD5
4b60769ed7a73c5147f5ed5a273af261

SHA1
c231b05dae74154f4ac44b457e11b78c95aec6bf

SHA256
f83c03f9a38ee9d879460a114a5bcd377cda2de147d0ddd8973f5ae543914c7e

SHA512
9116a9c753e0b4b8141630152f0d4ebf57a82a109a0263ac47844dfdc880f6037504a8940446e4c10cb0c020d5d042f93615b6902d5019f85ecb12f3fb88f85e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\feui2gpd\CSC6648A5AE30E34D019F3DA3636761DD56.TMP

Filesize
1KB

MD5
b11f1c72c2bfc05f468237b0f43f57cb

SHA1
d8af07deee132636ac67375e20ba1eefe741cea6

SHA256
c406e07296ce4894be40f03ba20194ae2e4059fdc00f4810a539bab70a484680

SHA512
a6d88baf6ae6c50f4bd4673a1294797325375501c6ec276f1b22202ddd3d35ed271b71411d59b198b6f368e99a607ee944ef9989869cc103fa693fc0b6c7e444

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\feui2gpd\feui2gpd.0.cs

Filesize
2KB

MD5
c88a65c432ea35b6e29f700043978af5

SHA1
f99b4986563f92c40890386dd865bad8d4b7f12e

SHA256
74718d63051f63f84b8316fca22b5088419500fca708ace9fff2879cfaf523b9

SHA512
e063191f34c033fa5cd59b794771de38646f40778e0cce6c74080dba905df7e59843bd5980614759a96df5cc19755801c4db6d12236f0c4d9f532e86673f2086

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\feui2gpd\feui2gpd.cmdline

Filesize
312B

MD5
355b4424cdf19f35abbea2d75d6ffc03

SHA1
3531e282748e1d75bce545d871aae0950592ca74

SHA256
8de628add6eccce48920290f2055055f13c95aae19357f9a45786d78e45ac749

SHA512
ecd2c11b20328dcab27e2bbb08984b7f8438149515437a7468d580bdaa579a56e9364fadbac24e928493164643374f6fe618800475c31c4030c3d8b007c17a5e

Download Submit
memory/2752-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2752-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3044-34-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/3044-0-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/3044-18-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/3044-22-0x0000000004000000-0x00000000040A2000-memory.dmp

Filesize
648KB

Download
memory/3044-21-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/3044-2-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/3044-1-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/3044-20-0x0000000004510000-0x000000000453A000-memory.dmp

Filesize
168KB

Download
memory/3044-3-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing