lokibot | e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Size

490KB
MD5

06854e61899fff2b198c91a5a25cff6d
SHA1

6b74e8be276b9f16b4732a3e4a2bd69a39e9bf9b
SHA256

e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691
SHA512

ec87153a038e858641d88d03a8b9142c7838cfcd02795c93299bd52c40a975cb34dfa7792d10615aea8fe6fa3763c395fe84812037d15426bc341c6149af070b
SSDEEP

6144:ih6o1R1khh63aQbSFvU9+kRIluFRfwVnvUjWkY1hdQUdwzMTIv9QZgmT:C1R1kDVvUwGOnnvAEQsqbV

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://lokipanelhostingpanel.gq/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Drops startup file 1 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

notepad.exe

pid process

4924 notepad.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

pid	process
4924	notepad.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

notepad.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	notepad.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

description pid process target process

PID 2020 set thread context of 4924 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe notepad.exe

description	pid	process	target process
PID 2020 set thread context of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe

Drops file in Windows directory 3 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3592 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe

pid	process
3592	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

pid	process
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exenotepad.exe

description pid process

Token: SeDebugPrivilege 2020 06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Token: SeDebugPrivilege 4924 notepad.exe

description	pid	process
Token: SeDebugPrivilege	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
Token: SeDebugPrivilege	4924	notepad.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 2484	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 2020 wrote to memory of 2484	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 2020 wrote to memory of 2484	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 2484 wrote to memory of 4956	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 4956	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 4956	2484	cmd.exe	reg.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 4924	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	notepad.exe
PID 2020 wrote to memory of 2732	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 2020 wrote to memory of 2732	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 2020 wrote to memory of 2732	2020	06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe	cmd.exe
PID 2732 wrote to memory of 3592	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 3592	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 3592	2732	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

notepad.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook notepad.exe
outlook_win_path 1 IoCs

Processes:

notepad.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook notepad.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	notepad.exe

C:\Users\Admin\AppData\Local\Temp\06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06854e61899fff2b198c91a5a25cff6d_JaffaCakes118.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\notepad.exe
"C:\Users\Admin\AppData\Local\Temp\notepad.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
1⤵
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
Filesize
490KB

MD5
06854e61899fff2b198c91a5a25cff6d

SHA1
6b74e8be276b9f16b4732a3e4a2bd69a39e9bf9b

SHA256
e21a9d3df315dd8e55f1178611a622bb43c5be81eafed44c7c7ce1035f0f4691

SHA512
ec87153a038e858641d88d03a8b9142c7838cfcd02795c93299bd52c40a975cb34dfa7792d10615aea8fe6fa3763c395fe84812037d15426bc341c6149af070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
Filesize
206B

MD5
90c06b5a8de4b32e4e13579cbd8c694d

SHA1
d0ba856351d70f7423c76b21688ea51a9fb65d69

SHA256
25aca836dfd3715de6f7617c6f50db118acc019361092e10f7730a7ddad64c98

SHA512
5b29bc17d7f1e6ce58313830b7fe15ff03be37c7304fe260dad2c2865588f1dd3811d1fd877f5e8b850cf365386b330d0d21a32b31567303ddcf0f51372f5b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3665033694-1447845302-680750983-1000\0f5007522459c86e95ffcc62f32308f1_0c2dbd8b-df2c-459b-9e3f-15002e1e55b7
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
memory/2020-2-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2020-1-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2020-0-0x0000000074E62000-0x0000000074E63000-memory.dmp

Filesize
4KB

Download
memory/2020-64-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/4924-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4924-18-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4924-17-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4924-65-0x0000000000C00000-0x0000000000DA5000-memory.dmp

Filesize
1.6MB

Download
memory/4924-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download