· 6 years ago · Sep 10, 2019, 02:36 AM
1
2* ID: 1405
3* MalFamily: "Loki"
4
5* MalScore: 10.0
6
7* File Name: "Loki_b4160c6518820a6747f2a6d39438308d.exe"
8* File Size: 967168
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "54abae66e2ef28bef900d4e9ae1f0a2403d130cef8024c5362009f115ca11aee"
11* MD5: "b4160c6518820a6747f2a6d39438308d"
12* SHA1: "e013f73fe24d8f25d5359eedc847d5caac790d4c"
13* SHA512: "19a110e3e6a7f7052530d48fd10333c16af792b7e732109baaf4fdee19bcc90f572a76eb83578742a96df7faa2a935e6b088f49a0a64ec54be69122f4152e2b8"
14* CRC32: "7A015200"
15* SSDEEP: "12288:DPyYkinIL3hFuObLPS85MGAWApEbSYZcNggHe3IOQzTqkU2n8:/k1LRFpLPSs1AWA6c2gUIveZ2n8"
16
17* Process Execution:
18 "4azgdwjTdw.exe",
19 "4azgdwjTdw.exe",
20 "services.exe",
21 "lsass.exe"
22
23
24* Executed Commands:
25 "\"C:\\Users\\user\\AppData\\Local\\Temp\\4azgdwjTdw.exe\"",
26 "C:\\Windows\\system32\\lsass.exe"
27
28
29* Signatures Detected:
30
31 "Description": "Behavioural detection: Executable code extraction",
32 "Details":
33
34
35 "Description": "A process attempted to delay the analysis task.",
36 "Details":
37
38 "Process": "4azgdwjTdw.exe tried to sleep 1754 seconds, actually delayed analysis time by 0 seconds"
39
40
41
42
43 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
44 "Details":
45
46 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
47
48
49 "http_version_old": "HTTP traffic uses version 1.0"
50
51
52 "suspicious_request_iocs": "http://greeesenbropotreunhoppol.tk/fre.php"
53
54
55
56
57 "Description": "Performs some HTTP requests",
58 "Details":
59
60 "url_iocs": "http://greeesenbropotreunhoppol.tk/fre.php"
61
62
63
64
65 "Description": "Behavioural detection: Injection (Process Hollowing)",
66 "Details":
67
68 "Injection": "4azgdwjTdw.exe(552) -> 4azgdwjTdw.exe(3064)"
69
70
71
72
73 "Description": "Executed a process and injected code into it, probably while unpacking",
74 "Details":
75
76 "Injection": "4azgdwjTdw.exe(552) -> 4azgdwjTdw.exe(3064)"
77
78
79
80
81 "Description": "Deletes its original binary from disk",
82 "Details":
83
84
85 "Description": "Behavioural detection: Injection (inter-process)",
86 "Details":
87
88
89 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
90 "Details":
91
92 "Spam": "4azgdwjTdw.exe (552) called API FindResourceExW 470188 times"
93
94
95 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11196891 times"
96
97
98
99
100 "Description": "Steals private information from local Internet browsers",
101 "Details":
102
103 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
104
105
106
107
108 "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
109 "Details":
110
111 "modified_name": "4azgdwjtdw.exe",
112 "modified_path": "C:\\Users\\user\\AppData\\Local\\Temp\\4azgdwjtdw.exe",
113 "original_name": "4azgdwjTdw.exe",
114 "original_path": "C:\\Users\\user\\AppData\\Local\\Temp\\4azgdwjTdw.exe"
115
116
117
118
119 "Description": "Creates a hidden or system file",
120 "Details":
121
122 "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
123
124
125 "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
126
127
128
129
130 "Description": "CAPE detected the Loki malware family",
131 "Details":
132
133
134 "Description": "File has been identified by 17 Antiviruses on VirusTotal as malicious",
135 "Details":
136
137 "FireEye": "Generic.mg.b4160c6518820a67"
138
139
140 "Malwarebytes": "Trojan.MalPack.DLF"
141
142
143 "K7AntiVirus": "Trojan ( 005576d41 )"
144
145
146 "K7GW": "Trojan ( 005576d41 )"
147
148
149 "Cybereason": "malicious.fe24d8"
150
151
152 "Cyren": "W32/Trojan.EJZK-2668"
153
154
155 "Symantec": "Packed.Generic.516"
156
157
158 "APEX": "Malicious"
159
160
161 "Paloalto": "generic.ml"
162
163
164 "Invincea": "heuristic"
165
166
167 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
168
169
170 "ZoneAlarm": "HEUR:Trojan.Win32.Kryptik.gen"
171
172
173 "AhnLab-V3": "Trojan/Win32.Lokibot.C3463984"
174
175
176 "ESET-NOD32": "a variant of Win32/Injector.EHRR"
177
178
179 "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
180
181
182 "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
183
184
185 "Qihoo-360": "HEUR/QVM05.1.C687.Malware.Gen"
186
187
188
189
190 "Description": "Creates a copy of itself",
191 "Details":
192
193 "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
194
195
196
197
198 "Description": "Harvests credentials from local FTP client softwares",
199 "Details":
200
201 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
202
203
204 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
205
206
207 "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
208
209
210 "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
211
212
213 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
214
215
216 "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
217
218
219 "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
220
221
222 "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
223
224
225 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
226
227
228 "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
229
230
231
232
233 "Description": "Harvests information related to installed instant messenger clients",
234 "Details":
235
236 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
237
238
239
240
241 "Description": "Harvests information related to installed mail clients",
242 "Details":
243
244 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
245
246
247 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
248
249
250 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
251
252
253 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
254
255
256 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
257
258
259 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
260
261
262 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
263
264
265 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
266
267
268 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
269
270
271 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
272
273
274 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
275
276
277 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
278
279
280 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
281
282
283 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
284
285
286 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
287
288
289 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
290
291
292 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
293
294
295 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
296
297
298 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
299
300
301 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
302
303
304 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
305
306
307 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
308
309
310 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
311
312
313 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
314
315
316 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
317
318
319 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
320
321
322 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
323
324
325 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
326
327
328 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
329
330
331 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
332
333
334 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
335
336
337 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
338
339
340 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
341
342
343 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
344
345
346 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
347
348
349
350
351 "Description": "Collects information to fingerprint the system",
352 "Details":
353
354
355 "Description": "Anomalous binary characteristics",
356 "Details":
357
358 "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
359
360
361
362
363 "Description": "Created network traffic indicative of malicious activity",
364 "Details":
365
366 "signature": "ET DNS Query to a .tk domain - Likely Hostile"
367
368
369 "signature": "ET TROJAN LokiBot Fake 404 Response"
370
371
372 "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
373
374
375 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
376
377
378 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
379
380
381 "signature": "ET TROJAN LokiBot Checkin"
382
383
384 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
385
386
387 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
388
389
390
391
392
393* Started Service:
394 "VaultSvc"
395
396
397* Mutexes:
398 "6EFA73A4746045B65DEE781E"
399
400
401* Modified Files:
402 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
403 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
404 "C:\\Windows\\sysnative\\LogFiles\\Scm\\4a22d9e6-41c5-44a8-884c-bb44c9a6b4c2"
405
406
407* Deleted Files:
408 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
409 "C:\\Users\\user\\AppData\\Local\\Temp\\4azgdwjtdw.exe"
410
411
412* Modified Registry Keys:
413
414* Deleted Registry Keys:
415
416* DNS Communications:
417
418 "type": "A",
419 "request": "greeesenbropotreunhoppol.tk",
420 "answers":
421
422 "data": "37.49.225.103",
423 "type": "A"
424
425
426
427
428
429* Domains:
430
431 "ip": "37.49.225.103",
432 "domain": "greeesenbropotreunhoppol.tk"
433
434
435
436* Network Communication - ICMP:
437
438* Network Communication - HTTP:
439
440 "count": 2,
441 "body": "",
442 "uri": "http://greeesenbropotreunhoppol.tk/fre.php",
443 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
444 "method": "POST",
445 "host": "greeesenbropotreunhoppol.tk",
446 "version": "1.0",
447 "path": "/fre.php",
448 "data": "POST /fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: greeesenbropotreunhoppol.tk\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: 289C9110\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
449 "port": 80
450
451
452 "count": 29,
453 "body": "",
454 "uri": "http://greeesenbropotreunhoppol.tk/fre.php",
455 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
456 "method": "POST",
457 "host": "greeesenbropotreunhoppol.tk",
458 "version": "1.0",
459 "path": "/fre.php",
460 "data": "POST /fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: greeesenbropotreunhoppol.tk\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: 289C9110\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
461 "port": 80
462
463
464
465* Network Communication - SMTP:
466
467* Network Communication - Hosts:
468
469 "country_name": "Netherlands",
470 "ip": "37.49.225.103",
471 "inaddrarpa": "",
472 "hostname": "greeesenbropotreunhoppol.tk"
473
474
475
476* Network Communication - IRC: