General

  • Target

    c1929c01d6adbb6635757097ff5d95d6_JaffaCakes118

  • Size

    974KB

  • Sample

    241204-jqttastmhk

  • MD5

    c1929c01d6adbb6635757097ff5d95d6

  • SHA1

    830557cd37d07a4b7a9a500fe0f1f5099d436e43

  • SHA256

    fe11921cd872f4c76fa3d9698da1aeba5470bb58e6b64e7537d29b4a8980cf3c

  • SHA512

    dfee7060eacacb8da3a3fac4e2b39995af27ca6a30d9ef609739346461d527db3a327f38446cb750e145a5348cc1b5855911576f31e3c1fbc4bff04d5e0ffbc2

  • SSDEEP

    12288:83RFUa2iNwY05uYGrFDsugLcwLVvVfSkVylG5B7/I070JQ:na1W5uYGrFj+x5EsylwBR70JQ

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.5/sxisodifntose.php/S7zr5v1fXI3Rb

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      c1929c01d6adbb6635757097ff5d95d6_JaffaCakes118

    • Size

      974KB

    • MD5

      c1929c01d6adbb6635757097ff5d95d6

    • SHA1

      830557cd37d07a4b7a9a500fe0f1f5099d436e43

    • SHA256

      fe11921cd872f4c76fa3d9698da1aeba5470bb58e6b64e7537d29b4a8980cf3c

    • SHA512

      dfee7060eacacb8da3a3fac4e2b39995af27ca6a30d9ef609739346461d527db3a327f38446cb750e145a5348cc1b5855911576f31e3c1fbc4bff04d5e0ffbc2

    • SSDEEP

      12288:83RFUa2iNwY05uYGrFDsugLcwLVvVfSkVylG5B7/I070JQ:na1W5uYGrFj+x5EsylwBR70JQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks