Overview

overview

10

Static

static

3

JaffaCakes...47.exe

windows7-x64

10

JaffaCakes...47.exe

windows10-2004-x64

7

$PLUGINSDI...jw.dll

windows7-x64

10

$PLUGINSDI...jw.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_64fb2c665aeaa8ebee0847d93dcd0e47

  • Size

    240KB

  • Sample

    250107-qha5jsvjfr

  • MD5

    64fb2c665aeaa8ebee0847d93dcd0e47

  • SHA1

    9cf26ab3b2d0b3c3babd2a08901401e740b08346

  • SHA256

    a404a5137331f33c5398664ca84996ade49d3849403dc9037f74a5d5311a332a

  • SHA512

    ac2035edd6053dcd46dc019f1ef4dae2cdac8768a8db5cecc6d56119a1606c15ed027d9febab8360c57a14d54b33c6bb9a62ffb0ac30247152951f62de7f83ab

  • SSDEEP

    6144:wBlL/cLODAoVKlKxiyI7Tb4z+6Gc7N77d13fcwqFCQFkZcI:CeK38Ez1GcR113tqkQFkL

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=723855

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      JaffaCakes118_64fb2c665aeaa8ebee0847d93dcd0e47

    • Size

      240KB

    • MD5

      64fb2c665aeaa8ebee0847d93dcd0e47

    • SHA1

      9cf26ab3b2d0b3c3babd2a08901401e740b08346

    • SHA256

      a404a5137331f33c5398664ca84996ade49d3849403dc9037f74a5d5311a332a

    • SHA512

      ac2035edd6053dcd46dc019f1ef4dae2cdac8768a8db5cecc6d56119a1606c15ed027d9febab8360c57a14d54b33c6bb9a62ffb0ac30247152951f62de7f83ab

    • SSDEEP

      6144:wBlL/cLODAoVKlKxiyI7Tb4z+6Gc7N77d13fcwqFCQFkZcI:CeK38Ez1GcR113tqkQFkL

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/ewvxjjw.dll

    • Size

      19KB

    • MD5

      b4da6dfeb5f5b40d7a1460a07adc85a5

    • SHA1

      904f06f23b0247763a8bc3fca03c9ff4421a06b3

    • SHA256

      1054952993826fff3bf7f156b0a0ce66a8d6a18d1816fa38c053fa2b7a1c0683

    • SHA512

      ab6102e12967cee70fbdac5140440ff67c5e6483541ef39d1140be150a7d759a9234331017ff7c9e7d3004933471d980b5a51dd043d2ea82ff47652cda6efb20

    • SSDEEP

      384:A9gq7t1kfNOaDOoBU2oW9D/kPM9+xuVEKBNnR1:A9gq7tG1OX2Dbx+KBNnR

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks