General

  • Target

    ff3a9b3e49d0dc6b0f91956d44a10b83_JaffaCakes118

  • Size

    679KB

  • Sample

    241219-kw98xaxpcs

  • MD5

    ff3a9b3e49d0dc6b0f91956d44a10b83

  • SHA1

    a309a98a10c9de52cf1d109eed34276220237a0a

  • SHA256

    f513586a6714e75f26ce6068996b786f33711477f413ab918b5a736d6daca9a5

  • SHA512

    c69887011b526f979bcdb7916ec3a6ab0f38246312ff37603658a610881de7676f51f156437594f7b83f69c820d16a332a89dc836f70f3e5ce57352349f7ff2c

  • SSDEEP

    12288:UtzV7HK7zpxbBzMYQQxq4KwVKaPZN4vAjLR6S+t+Pi+khRO:iz8lrzU62da9P+t+Pi+q

Malware Config

Extracted

Family

lokibot

C2

https://ecurs.ro/upgrade/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ff3a9b3e49d0dc6b0f91956d44a10b83_JaffaCakes118

    • Size

      679KB

    • MD5

      ff3a9b3e49d0dc6b0f91956d44a10b83

    • SHA1

      a309a98a10c9de52cf1d109eed34276220237a0a

    • SHA256

      f513586a6714e75f26ce6068996b786f33711477f413ab918b5a736d6daca9a5

    • SHA512

      c69887011b526f979bcdb7916ec3a6ab0f38246312ff37603658a610881de7676f51f156437594f7b83f69c820d16a332a89dc836f70f3e5ce57352349f7ff2c

    • SSDEEP

      12288:UtzV7HK7zpxbBzMYQQxq4KwVKaPZN4vAjLR6S+t+Pi+khRO:iz8lrzU62da9P+t+Pi+q

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks