Overview

overview

10

Static

static

3

0dafe52910...18.exe

windows7-x64

10

0dafe52910...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

u9anuq.dll

windows7-x64

1

u9anuq.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0dafe529109bf5d41408d83da99facc3_JaffaCakes118

  • Size

    152KB

  • Sample

    240625-l9v7kstdmg

  • MD5

    0dafe529109bf5d41408d83da99facc3

  • SHA1

    ed7176f46214f75bead2674e9761c28ea2417adc

  • SHA256

    29ab5296a03568541165c8632739206457548b5277e7d11f4bc79c2abf8320be

  • SHA512

    8c1b26515e32b6c242e559402cb15b3ce83211156e83d6b7e91810f91c7e40e8e2b5b4c790650eedd9898fc95428582be2ec010527a621b678a93c20d4b90318

  • SSDEEP

    3072:YBkfJpRXATwMdFCcnbPzpdNYpOaRu1/c+BV4eYt8QltyI+5BZgK83B3t:YqjIFgDgFBV4eYq1AFtt

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://becharnise.ir/fa16/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      0dafe529109bf5d41408d83da99facc3_JaffaCakes118

    • Size

      152KB

    • MD5

      0dafe529109bf5d41408d83da99facc3

    • SHA1

      ed7176f46214f75bead2674e9761c28ea2417adc

    • SHA256

      29ab5296a03568541165c8632739206457548b5277e7d11f4bc79c2abf8320be

    • SHA512

      8c1b26515e32b6c242e559402cb15b3ce83211156e83d6b7e91810f91c7e40e8e2b5b4c790650eedd9898fc95428582be2ec010527a621b678a93c20d4b90318

    • SSDEEP

      3072:YBkfJpRXATwMdFCcnbPzpdNYpOaRu1/c+BV4eYt8QltyI+5BZgK83B3t:YqjIFgDgFBV4eYq1AFtt

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

    • SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    • SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    • SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    • SSDEEP

      192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4

    Score
    3/10
    behavioral3behavioral4

    • Target

      u9anuq.dll

    • Size

      11KB

    • MD5

      89df018dd4fd875d5b144c0167653a07

    • SHA1

      c7934525cfedad07d92eba5f5f3f04211f3d619a

    • SHA256

      2a3fb636b37575a7b32e7ed1ae6403057e324ae4537e4392777a22ee79a77fe2

    • SHA512

      d5ff8091aab89c0c788d8c1a0ce5ae048284eca5f6f864d654e832764bc77eac6ba92ddc03c32c8d9a817347722bd5f9db4acf10397996d7434f798dc54269bb

    • SSDEEP

      192:+1O/kW4E4WPVBTxicL2lt4S3cGCfEzIWZcX/8yJpq:oONbB9BlJLgt4SsdEzIN0yXq

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks