lokibot | 165f271fb293701f0b6ab71033eeb9568c18aefcdd847060a3d57475eae2aeed

General

Target

71bc06523eff20bda9197d0020b751cf_JaffaCakes118.msi
Size

656KB
MD5

71bc06523eff20bda9197d0020b751cf
SHA1

3215635a506e4c538daa7adcd1606d348d25e0b5
SHA256

165f271fb293701f0b6ab71033eeb9568c18aefcdd847060a3d57475eae2aeed
SHA512

a29e3852395e9fdfc74686b648394ae811eb4b3e14c2592273a765539d844f419a7c505868beb57a858f39f9ae296b16e97ba87562d0662e955fbc73566d6ee0
SSDEEP

6144:EE7TMenVqe/eD8zNa0ILko3H5M1T5DsApiRCDE6YG320A5E7cYDvhRNQ0OBjtguZ:EEXnVqKeDI/ID3HxBuGurTNr2

Score

10^/10

lokibot collection discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://spimagesinc.com/images/ImgDump_04-25-16/picture/gallery/newfoldwer/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSI9E35.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSI9E35.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSI9E35.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSI9E35.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MSI9E35.tmp

description pid process target process

PID 4568 set thread context of 1540 4568 MSI9E35.tmp MSI9E35.tmp

description	pid	process	target process
PID 4568 set thread context of 1540	4568	MSI9E35.tmp	MSI9E35.tmp

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DD6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E35.tmp	msiexec.exe
File created	C:\Windows\Installer\e579d0b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579d0b.msi	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

MSI9E35.tmpMSI9E35.tmp

pid process

4568 MSI9E35.tmp
1540 MSI9E35.tmp
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2948 msiexec.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MSI9E35.tmp

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI9E35.tmp

pid	process
4568	MSI9E35.tmp
1540	MSI9E35.tmp

pid	process
2948	msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI9E35.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

5036 msiexec.exe
5036 msiexec.exe

pid	process
5036	msiexec.exe
5036	msiexec.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMSI9E35.tmpsrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2948	msiexec.exe
Token: SeSecurityPrivilege	5036	msiexec.exe
Token: SeCreateTokenPrivilege	2948	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2948	msiexec.exe
Token: SeLockMemoryPrivilege	2948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2948	msiexec.exe
Token: SeMachineAccountPrivilege	2948	msiexec.exe
Token: SeTcbPrivilege	2948	msiexec.exe
Token: SeSecurityPrivilege	2948	msiexec.exe
Token: SeTakeOwnershipPrivilege	2948	msiexec.exe
Token: SeLoadDriverPrivilege	2948	msiexec.exe
Token: SeSystemProfilePrivilege	2948	msiexec.exe
Token: SeSystemtimePrivilege	2948	msiexec.exe
Token: SeProfSingleProcessPrivilege	2948	msiexec.exe
Token: SeIncBasePriorityPrivilege	2948	msiexec.exe
Token: SeCreatePagefilePrivilege	2948	msiexec.exe
Token: SeCreatePermanentPrivilege	2948	msiexec.exe
Token: SeBackupPrivilege	2948	msiexec.exe
Token: SeRestorePrivilege	2948	msiexec.exe
Token: SeShutdownPrivilege	2948	msiexec.exe
Token: SeDebugPrivilege	2948	msiexec.exe
Token: SeAuditPrivilege	2948	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2948	msiexec.exe
Token: SeChangeNotifyPrivilege	2948	msiexec.exe
Token: SeRemoteShutdownPrivilege	2948	msiexec.exe
Token: SeUndockPrivilege	2948	msiexec.exe
Token: SeSyncAgentPrivilege	2948	msiexec.exe
Token: SeEnableDelegationPrivilege	2948	msiexec.exe
Token: SeManageVolumePrivilege	2948	msiexec.exe
Token: SeImpersonatePrivilege	2948	msiexec.exe
Token: SeCreateGlobalPrivilege	2948	msiexec.exe
Token: SeBackupPrivilege	2628	vssvc.exe
Token: SeRestorePrivilege	2628	vssvc.exe
Token: SeAuditPrivilege	2628	vssvc.exe
Token: SeBackupPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeDebugPrivilege	4568	MSI9E35.tmp
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeBackupPrivilege	4188	srtasks.exe
Token: SeRestorePrivilege	4188	srtasks.exe
Token: SeSecurityPrivilege	4188	srtasks.exe
Token: SeTakeOwnershipPrivilege	4188	srtasks.exe
Token: SeBackupPrivilege	4188	srtasks.exe
Token: SeRestorePrivilege	4188	srtasks.exe
Token: SeSecurityPrivilege	4188	srtasks.exe
Token: SeTakeOwnershipPrivilege	4188	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2948 msiexec.exe
2948 msiexec.exe

pid	process
2948	msiexec.exe
2948	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exeMSI9E35.tmp

description	pid	process	target process
PID 5036 wrote to memory of 4188	5036	msiexec.exe	srtasks.exe
PID 5036 wrote to memory of 4188	5036	msiexec.exe	srtasks.exe
PID 5036 wrote to memory of 4568	5036	msiexec.exe	MSI9E35.tmp
PID 5036 wrote to memory of 4568	5036	msiexec.exe	MSI9E35.tmp
PID 5036 wrote to memory of 4568	5036	msiexec.exe	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp
PID 4568 wrote to memory of 1540	4568	MSI9E35.tmp	MSI9E35.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

MSI9E35.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSI9E35.tmp

outlook_win_path 1 IoCs

Processes:

MSI9E35.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSI9E35.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\71bc06523eff20bda9197d0020b751cf_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- C:\Windows\Installer\MSI9E35.tmp
  "C:\Windows\Installer\MSI9E35.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\Installer\MSI9E35.tmp
    "C:\Windows\Installer\MSI9E35.tmp"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Executes dropped EXE
    - outlook_office_path
    - outlook_win_path
    PID:1540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579d0e.rbs

Filesize
663B

MD5
08c4b04f9ab2d4c2e679da226e113f5a

SHA1
d4bd26696b62514d1c9c43725bc8f16af33ad4ea

SHA256
7fe3fdcdd3421cfcb5d4320425867ccb6cf53591b5ae6d88474b2b1c1bc48d18

SHA512
f695e75e65efbf2d69010fe3b6d24999c4f8aeda1fe1b8b5045590c666b115c213c99d8d50a56dc99c6901225de3d0a01182563915e44c534f9a832a240499c1

Download Submit
C:\Windows\Installer\MSI9E35.tmp

Filesize
632KB

MD5
24d6ee30e47dc5886977b78f26fae187

SHA1
70b855b7756bc66d94b0ba6f78f4c15542df4c81

SHA256
71a00fcf74a3d6b9390e289f50b80ad5bd41b9ed64e1a924c8ea7a851ecccf36

SHA512
d2701478d951266a1e32432926a02c3b72e3d852b2f5ad07410ab62e3c9a9c6074fdc131ff6853a54f368e9e857a2dbfe9ce80ddedbf7ecceac23a88d9b36893

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2dbb1b0b5d96b31b4a9c6390161bb036

SHA1
7f15325db5a1f8c52b0dd996a255b55d8fbb5488

SHA256
837444ac51003a6242ad21a61a9b32b0589a84b3779dd21de0c48ff35222faa2

SHA512
1f6a19ea8fc7346de325dcd84e69043baff8b2124e82ec6f1c950df5e4777ebb68854f33cdd2825233191222ac1ff9e76a0775057330865979131477a86b5374

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{67acee5c-9d0b-4196-8e47-91eeb3c70f3e}_OnDiskSnapshotProp

Filesize
6KB

MD5
80b0bdf1211767a473abcbb0e8bc3f52

SHA1
4878814f24aaffc86b4b5c824f013b04bf085e0e

SHA256
7615e6b752bcbdcc3796d995fc7d6024942060a25377d36f91232e563ff03e86

SHA512
2a5d10cdbfa0cc870897a93466780e1f401cf3b0d95c3cf1cf8ec072692d5a2a32d10618c779e184b6bdd7466c962c7e969bff0ac1b28a86d680a78d68ab85d2

Download Submit
memory/1540-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1540-12-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1540-18-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1540-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1540-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads