General
-
Target
075d567c223a0fc19febd6ace51b0376_JaffaCakes118
-
Size
792KB
-
Sample
241001-zk9wbstcnd
-
MD5
075d567c223a0fc19febd6ace51b0376
-
SHA1
3c8b59ea4d77f6d399d6ad88e797443b106d5c72
-
SHA256
e7b980821a732787845f7a82c0668eba06140a5ebf32fc4c783a9c94d25a83e0
-
SHA512
30f3a84da2b9899e6cc2e2159e486e995e55f9165d43cb0edec2e334fd3eb81fa6aae982c7483b0da2a334d91f3639c8b801c9fb29b1dca0eb8bcfed1f5ac933
-
SSDEEP
12288:ZHFYKSn3qGaNHEyC9/oR9gy5FHK7zlhbHTjIVgBYpHnkHiLdHeA0nACLLBqRd6hg:ZHKKSPp9AR95yzTsdn1LEA0nRXBL7Cv
Malware Config
Extracted
lokibot
http://lokiik.xyz//vf/cf/yo.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
075d567c223a0fc19febd6ace51b0376_JaffaCakes118
-
Size
792KB
-
MD5
075d567c223a0fc19febd6ace51b0376
-
SHA1
3c8b59ea4d77f6d399d6ad88e797443b106d5c72
-
SHA256
e7b980821a732787845f7a82c0668eba06140a5ebf32fc4c783a9c94d25a83e0
-
SHA512
30f3a84da2b9899e6cc2e2159e486e995e55f9165d43cb0edec2e334fd3eb81fa6aae982c7483b0da2a334d91f3639c8b801c9fb29b1dca0eb8bcfed1f5ac933
-
SSDEEP
12288:ZHFYKSn3qGaNHEyC9/oR9gy5FHK7zlhbHTjIVgBYpHnkHiLdHeA0nACLLBqRd6hg:ZHKKSPp9AR95yzTsdn1LEA0nRXBL7Cv
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1