Overview

overview

10

Static

static

3

JaffaCakes...23.exe

windows7-x64

10

JaffaCakes...23.exe

windows10-2004-x64

7

$PLUGINSDI...cg.dll

windows7-x64

10

$PLUGINSDI...cg.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_e03f4ad08fc0f342d85a78c2931d9123

  • Size

    240KB

  • Sample

    250110-kzj6wszjcv

  • MD5

    e03f4ad08fc0f342d85a78c2931d9123

  • SHA1

    b5cf0259ed3f1af5f150382a603fa07b50e56655

  • SHA256

    bd7f706554d406bfe8f627cbda77555c6a255f952599f3b22399640fca5a3c9c

  • SHA512

    4b52377ce63125ceb19bcee64e4cc032fc91d3ace3abdb03d9b98bbf3e6b43f3078169ce334887bfa016b11834e3ac56b44dc8d41118f74e24964d2da67af7c9

  • SSDEEP

    6144:wBlL/cK00E317OnqTuU9mteavU7FUkhIlUZIf0zXXn+Zdl/3:CeKC17OnQm0avU7lhYgXXno9

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=719442

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      JaffaCakes118_e03f4ad08fc0f342d85a78c2931d9123

    • Size

      240KB

    • MD5

      e03f4ad08fc0f342d85a78c2931d9123

    • SHA1

      b5cf0259ed3f1af5f150382a603fa07b50e56655

    • SHA256

      bd7f706554d406bfe8f627cbda77555c6a255f952599f3b22399640fca5a3c9c

    • SHA512

      4b52377ce63125ceb19bcee64e4cc032fc91d3ace3abdb03d9b98bbf3e6b43f3078169ce334887bfa016b11834e3ac56b44dc8d41118f74e24964d2da67af7c9

    • SSDEEP

      6144:wBlL/cK00E317OnqTuU9mteavU7FUkhIlUZIf0zXXn+Zdl/3:CeKC17OnQm0avU7lhYgXXno9

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/bssmcg.dll

    • Size

      20KB

    • MD5

      b7240550e69f1fe5d37e59ad792b79bb

    • SHA1

      d3ec1ae9889a3b792fc7ca6c720d3dcdc273bf92

    • SHA256

      b6d65ca328946cac1a89d24c8e45ffed411357c0b51549083c4cf0874b1d231b

    • SHA512

      4996fff77e9683961a7290cfd25d8cbd14edfe5f548d09b645a884e9d9567d0e65366058318c2eeeea0aaf3654dde5be052526445e1fde17d46c416f4ef65599

    • SSDEEP

      384:58sy9SgatMMonfmUmuD+GFu8y8qVtM0nmkrVBrnZ6gdb:58sy96M+UcGFDlqrM0HrVpZ7

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks