Overview

overview

10

Static

static

3

JaffaCakes...0a.exe

windows7-x64

10

JaffaCakes...0a.exe

windows10-2004-x64

7

$PLUGINSDI...ut.dll

windows7-x64

10

$PLUGINSDI...ut.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_d4a99da8dad738056893d74202045a0a

  • Size

    245KB

  • Sample

    250109-23t9pswlhj

  • MD5

    d4a99da8dad738056893d74202045a0a

  • SHA1

    8dce612affbacd3ce2d3736dba594e8af4649ed4

  • SHA256

    96d98cb124bae466e84cad1325dc8fbcbefb44c83efb67231c886a4f0cf6bbaf

  • SHA512

    d124289eaadc29900440573ecf30de9ac19e9fbaa9952b972c2d0e67a3d6da537a7fd188894ce220390a00ef2de24592247add821ccef34d12a4ba37d832561e

  • SSDEEP

    6144:wBlL/cdaM2wjhuXQCOkWOogkgX3sXfa1fzHPyFt8q92:CeLcXQCpf0gMofzvI8q2

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      JaffaCakes118_d4a99da8dad738056893d74202045a0a

    • Size

      245KB

    • MD5

      d4a99da8dad738056893d74202045a0a

    • SHA1

      8dce612affbacd3ce2d3736dba594e8af4649ed4

    • SHA256

      96d98cb124bae466e84cad1325dc8fbcbefb44c83efb67231c886a4f0cf6bbaf

    • SHA512

      d124289eaadc29900440573ecf30de9ac19e9fbaa9952b972c2d0e67a3d6da537a7fd188894ce220390a00ef2de24592247add821ccef34d12a4ba37d832561e

    • SSDEEP

      6144:wBlL/cdaM2wjhuXQCOkWOogkgX3sXfa1fzHPyFt8q92:CeLcXQCpf0gMofzvI8q2

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/brkecgut.dll

    • Size

      39KB

    • MD5

      1c2153d65c164eceadedd59b1fe8137c

    • SHA1

      84a0a067fa6e226352a12fab9d776cf95fff9653

    • SHA256

      abdb9f01c83946668364bd1d280f361b65248d8ef0c7cd57b11f114e2bd1bc72

    • SHA512

      37e7b873a920fe6f2fed129be4df4f6ee74e79f609b3210b20d70876b20b5eae325a5e5326229d33a13ce96f2582da4d15de790fea66e40be59fb52ccbf82334

    • SSDEEP

      768:JLztxgelNtMCFTJ7arFlRkB4JYp52BfPd:1txgWVFAXc43NPd

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks