lokibot | a937d51e08c3cf899d69d9e0d7d4f63c2bb82df4760054107eae1a2f6d189b08

General

Target

f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
Size

387KB
MD5

f4d88e9cc556ca0c234310293ac5b037
SHA1

f452b5bdbc4d7a08764dae470a89272061e6eb8a
SHA256

a937d51e08c3cf899d69d9e0d7d4f63c2bb82df4760054107eae1a2f6d189b08
SHA512

a3bfa82f8133fe3159b95868cba40207693ed50dbec34f072ed96797f9e3f3106a746ec28e18e42b8ae16e3de1fcd6c5522b8886d2b1645cb2addad2e90f46d4
SSDEEP

3072:i5UC3t0HIParaeW/qkXKDPMO5Mp8y3MReAG6ZDd2eIcz3BdMz6I72Owzu:0Uct00iPAXCl5MWyWekuCImIBwu

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipqbook.com/glory/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
Token: SeDebugPrivilege	2024	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 552	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	89
PID 2056 wrote to memory of 552	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	89
PID 2056 wrote to memory of 552	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	89
PID 552 wrote to memory of 4952	552	csc.exe	91
PID 552 wrote to memory of 4952	552	csc.exe	91
PID 552 wrote to memory of 4952	552	csc.exe	91
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92
PID 2056 wrote to memory of 2024	2056	f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4d88e9cc556ca0c234310293ac5b037_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5dgtscrz\5dgtscrz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6433.tmp" "c:\Users\Admin\AppData\Local\Temp\5dgtscrz\CSC79296244F58649618D54C98321FB52.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4952
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=2708 /prefetch:8
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5dgtscrz\5dgtscrz.dll

Filesize
6KB

MD5
c88fcab49919580b6b6fdb5e4fb7c60a

SHA1
3f2bc44bf417a537d8943226c542561efa95498c

SHA256
fe79ed7905a9fd7f6606434fb7782b4312b17d78cd9391958adfd47966b3d569

SHA512
eb9f419de176fb8dd9734a4ecb1f79664c0ec799d6d11def0434e3812c38092655f32887c774a7db29562d1f4d8dca0149962cb54a2e7a58109cac3f5d76d20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dgtscrz\5dgtscrz.pdb

Filesize
15KB

MD5
080caf329cfbdf105f375328a6a4a2ca

SHA1
f87e6d1ab9d551689d20de62c6037493480e7a18

SHA256
646d607bb4e58ddda5fd2fd5dac133f21ade427ea1dd5a495b99784b739b09aa

SHA512
1443797fa7dde58776cffb0c122a611bd13c7b0b1b2e0e65e049fad447e6de8d55d93e137b5d6076886cf54a2c1ef2b28511f12becac8c5eb029c5fa60024513

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6433.tmp

Filesize
1KB

MD5
cab524205cfa7e8974472296cb6668eb

SHA1
2f6078d1a087bd60341fd6340787f36c557ee932

SHA256
43c38eb4182b1668d93868ddf8c606c99141da0d0b556eabbbdec30c1fdfb0fc

SHA512
e48be2d2bda2ee3271801f782d6df71e08a2140d7561d47bae6ed3a06d9d48790de6930ccb33b254f2b90a3f4dad4a842164e55a0ff4649e04174577ef51a95b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5dgtscrz\5dgtscrz.0.cs

Filesize
2KB

MD5
c88a65c432ea35b6e29f700043978af5

SHA1
f99b4986563f92c40890386dd865bad8d4b7f12e

SHA256
74718d63051f63f84b8316fca22b5088419500fca708ace9fff2879cfaf523b9

SHA512
e063191f34c033fa5cd59b794771de38646f40778e0cce6c74080dba905df7e59843bd5980614759a96df5cc19755801c4db6d12236f0c4d9f532e86673f2086

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5dgtscrz\5dgtscrz.cmdline

Filesize
312B

MD5
55f1e518e3f81c59fa4a432348ff1976

SHA1
97d827799ddba98f1093dd45bd270ceb7e81e1c4

SHA256
6db1fb7fcc2c0090b861087cf6f7f7c1a8fb9f635da598fbd7b5b53ddf68523c

SHA512
ddaf15c1305967d14a384cbbb77827cc38d7e5ddcb086b7601b8c6ba50dc6000a689a2ae50e2d978bccb5567063b33f102581bf6ccd26d41bf2ac1cccd6d2ec1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5dgtscrz\CSC79296244F58649618D54C98321FB52.TMP

Filesize
1KB

MD5
aa9e2f0d5077469eb2510ac5cf2ef8ed

SHA1
90065faa3bee4d3b316b05986fb133059dfbf2c9

SHA256
3b9cdbc1be910be3bf08a8b543e4cd20748e2e0f5bc4164f83a910ac9a3b89ce

SHA512
ad2081260da3a67cec2c2a4717d4d894cf50192915f1c10e76a36a93b6e67a41d37c412edf409fddefe3401f64a34cc2c8bc60f5526cf905040d1b5f29e4450c

Download Submit
memory/2024-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2024-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2024-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2024-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2056-24-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/2056-22-0x0000000005660000-0x000000000566C000-memory.dmp

Filesize
48KB

Download
memory/2056-23-0x0000000005680000-0x0000000005722000-memory.dmp

Filesize
648KB

Download
memory/2056-21-0x00000000054D0000-0x00000000054FA000-memory.dmp

Filesize
168KB

Download
memory/2056-19-0x0000000005480000-0x0000000005488000-memory.dmp

Filesize
32KB

Download
memory/2056-3-0x00000000052B0000-0x00000000052B8000-memory.dmp

Filesize
32KB

Download
memory/2056-4-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/2056-30-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/2056-2-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/2056-1-0x0000000000930000-0x0000000000964000-memory.dmp

Filesize
208KB

Download
memory/2056-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing