General

  • Target

    fa0cfc7cdb30e169af308455c3cba96a_JaffaCakes118

  • Size

    616KB

  • Sample

    240927-j7dteataln

  • MD5

    fa0cfc7cdb30e169af308455c3cba96a

  • SHA1

    f4054047b1c5b234cbf9f5ff5c5e13e515287df0

  • SHA256

    d309c7644924688608e64ff7f3c6ecca1885ffc843754f813f4ad61948b24119

  • SHA512

    b4486af9d00ed9b03d8b828e7132add2459dd60ba9dbfacc2c52ec583fce76e279012e9107e6119b8d01250211d6534fe7af6a65088ba02c3250cd526c2b57f8

  • SSDEEP

    12288:aaRMD9dYBUQbBqW86ndYu1fr+SnRzLOKk3:Ad06W86dz9rvza

Malware Config

Extracted

Family

lokibot

C2

http://caesragroup.com/king/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      fa0cfc7cdb30e169af308455c3cba96a_JaffaCakes118

    • Size

      616KB

    • MD5

      fa0cfc7cdb30e169af308455c3cba96a

    • SHA1

      f4054047b1c5b234cbf9f5ff5c5e13e515287df0

    • SHA256

      d309c7644924688608e64ff7f3c6ecca1885ffc843754f813f4ad61948b24119

    • SHA512

      b4486af9d00ed9b03d8b828e7132add2459dd60ba9dbfacc2c52ec583fce76e279012e9107e6119b8d01250211d6534fe7af6a65088ba02c3250cd526c2b57f8

    • SSDEEP

      12288:aaRMD9dYBUQbBqW86ndYu1fr+SnRzLOKk3:Ad06W86dz9rvza

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks