General

  • Target

    c1929c01d6adbb6635757097ff5d95d6_JaffaCakes118

  • Size

    974KB

  • Sample

    241204-jqttastmhk

  • MD5

    c1929c01d6adbb6635757097ff5d95d6

  • SHA1

    830557cd37d07a4b7a9a500fe0f1f5099d436e43

  • SHA256

    fe11921cd872f4c76fa3d9698da1aeba5470bb58e6b64e7537d29b4a8980cf3c

  • SHA512

    dfee7060eacacb8da3a3fac4e2b39995af27ca6a30d9ef609739346461d527db3a327f38446cb750e145a5348cc1b5855911576f31e3c1fbc4bff04d5e0ffbc2

  • SSDEEP

    12288:83RFUa2iNwY05uYGrFDsugLcwLVvVfSkVylG5B7/I070JQ:na1W5uYGrFj+x5EsylwBR70JQ

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.5/sxisodifntose.php/S7zr5v1fXI3Rb

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      c1929c01d6adbb6635757097ff5d95d6_JaffaCakes118

    • Size

      974KB

    • MD5

      c1929c01d6adbb6635757097ff5d95d6

    • SHA1

      830557cd37d07a4b7a9a500fe0f1f5099d436e43

    • SHA256

      fe11921cd872f4c76fa3d9698da1aeba5470bb58e6b64e7537d29b4a8980cf3c

    • SHA512

      dfee7060eacacb8da3a3fac4e2b39995af27ca6a30d9ef609739346461d527db3a327f38446cb750e145a5348cc1b5855911576f31e3c1fbc4bff04d5e0ffbc2

    • SSDEEP

      12288:83RFUa2iNwY05uYGrFDsugLcwLVvVfSkVylG5B7/I070JQ:na1W5uYGrFj+x5EsylwBR70JQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.