Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_0c227197081aad97e3019571776a74b7

  • Size

    620KB

  • Sample

    250106-d57qtaxmdm

  • MD5

    0c227197081aad97e3019571776a74b7

  • SHA1

    b713999899b3168f1e2834ce8be3568decf9b454

  • SHA256

    ed0f774746a405b01841e310f8f6459d04b75aaa518dbd98965615285342bd12

  • SHA512

    b613d0922e89c0986f2713f5f38276aa6dd9562dac9ab47411c87f62a6dc74491bac9de37b70f23f4a40304ab7f7afe0bbd5b845bd2feeddf575f813e47c6617

  • SSDEEP

    12288:UioaiZ3OCUfJdIxiEIHu4lwfeehsxb+vhu1Jy37GPEI21gRudrl:pniZ3yPZbHu4mfeehAb+6g

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=page321

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      JaffaCakes118_0c227197081aad97e3019571776a74b7

    • Size

      620KB

    • MD5

      0c227197081aad97e3019571776a74b7

    • SHA1

      b713999899b3168f1e2834ce8be3568decf9b454

    • SHA256

      ed0f774746a405b01841e310f8f6459d04b75aaa518dbd98965615285342bd12

    • SHA512

      b613d0922e89c0986f2713f5f38276aa6dd9562dac9ab47411c87f62a6dc74491bac9de37b70f23f4a40304ab7f7afe0bbd5b845bd2feeddf575f813e47c6617

    • SSDEEP

      12288:UioaiZ3OCUfJdIxiEIHu4lwfeehsxb+vhu1Jy37GPEI21gRudrl:pniZ3yPZbHu4mfeehAb+6g

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks