lokibot | e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Size

490KB
MD5

06854e61899fff2b198c91a5a25cff6d
SHA1

6b74e8be276b9f16b4732a3e4a2bd69a39e9bf9b
SHA256

e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691
SHA512

ec87153a038e858641d88d03a8b9142c7838cfcd02795c93299bd52c40a975cb34dfa7792d10615aea8fe6fa3763c395fe84812037d15426bc341c6149af070b
SSDEEP

6144:ih6o1R1khh63aQbSFvU9+kRIluFRfwVnvUjWkY1hdQUdwzMTIv9QZgmT:C1R1kDVvUwGOnnvAEQsqbV

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://lokipanelhostingpanel.gq/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Drops startup file 1 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

notepad.exe

pid process

2648 notepad.exe
Loads dropped DLL 3 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

pid process

1428 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

pid	process
2648	notepad.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

notepad.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

description pid process target process

PID 1428 set thread context of 2648 1428 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2536 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe

description	pid	process	target process
PID 1428 set thread context of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe

pid	process
2536	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

pid	process
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exenotepad.exe

description pid process

Token: SeDebugPrivilege 1428 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Token: SeDebugPrivilege 2648 notepad.exe

description	pid	process
Token: SeDebugPrivilege	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Token: SeDebugPrivilege	2648	notepad.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 1428 wrote to memory of 1676	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 1428 wrote to memory of 1676	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 1428 wrote to memory of 1676	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 1428 wrote to memory of 1676	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 2088	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 2088	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 2088	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 2088	1676	cmd.exe	reg.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2648	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 1428 wrote to memory of 2912	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 1428 wrote to memory of 2912	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 1428 wrote to memory of 2912	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 1428 wrote to memory of 2912	1428	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	timeout.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	timeout.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	timeout.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

notepad.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook notepad.exe
outlook_win_path 1 IoCs

Processes:

notepad.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook notepad.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	notepad.exe

C:\Users\Admin\AppData\Local\Temp\06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\notepad.exe
"C:\Users\Admin\AppData\Local\Temp\notepad.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
Filesize
490KB

MD5
06854e61899fff2b198c91a5a25cff6d

SHA1
6b74e8be276b9f16b4732a3e4a2bd69a39e9bf9b

SHA256
e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691

SHA512
ec87153a038e858641d88d03a8b9142c7838cfcd02795c93299bd52c40a975cb34dfa7792d10615aea8fe6fa3763c395fe84812037d15426bc341c6149af070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
Filesize
206B

MD5
90c06b5a8de4b32e4e13579cbd8c694d

SHA1
d0ba856351d70f7423c76b21688ea51a9fb65d69

SHA256
25aca836dfd3715de6f7617c6f50db118acc019361092e10f7730a7ddad64c98

SHA512
5b29bc17d7f1e6ce58313830b7fe15ff03be37c7304fe260dad2c2865588f1dd3811d1fd877f5e8b850cf365386b330d0d21a32b31567303ddcf0f51372f5b06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2812790648-3157963462-487717889-1000\0f5007522459c86e95ffcc62f32308f1_e03cd433-c719-47e1-9d16-06aabadbc419
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2812790648-3157963462-487717889-1000\0f5007522459c86e95ffcc62f32308f1_e03cd433-c719-47e1-9d16-06aabadbc419
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
memory/1428-0-0x00000000742C1000-0x00000000742C2000-memory.dmp

Filesize
4KB

Download
memory/1428-1-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-2-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-83-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-21-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-17-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-30-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-42-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-19-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-82-0x00000000008E0000-0x0000000000A85000-memory.dmp

Filesize
1.6MB

Download
memory/2648-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2648-85-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download