· 6 years ago · Sep 04, 2019, 12:56 AM
1
2* ID: 886
3* MalFamily: "Loki"
4
5* MalScore: 10.0
6
7* File Name: "Loki_202bfaad50de3db2109d230a1530c35b.1"
8* File Size: 937984
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "8f33bd70160f6868d84868d85178cef1366261c151fd772907694e7b701c0105"
11* MD5: "202bfaad50de3db2109d230a1530c35b"
12* SHA1: "b4e0a70889cd6220e79a796b3d736b885796b9e7"
13* SHA512: "73c35f3d3209df31035e87491228db731c87e181d4d1ed9d31a9ee7bf8741efeebe7ee0ac644b8e4d439053e709ed242065049297e69e84eb19a1d94826815ba"
14* CRC32: "324DF800"
15* SSDEEP: "24576:EwF/PPyRlPivlAPPPQSPPvP+PPPPPPPPPPPvPPPPPPDPPPPPPPnPPPPPPP1PPPPi:mO"
16
17* Process Execution:
18 "7ObqwN4FqmU9.exe",
19 "wscript.exe",
20 "filename.exe",
21 "filename.exe",
22 "explorer.exe",
23 "services.exe",
24 "lsass.exe"
25
26
27* Executed Commands:
28 "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\"",
29 "C:\\Users\\user\\subfolder\\filename.vbs ",
30 "\"C:\\Users\\user\\subfolder\\filename.exe\"",
31 "C:\\Users\\user\\subfolder\\filename.exe ",
32 "C:\\Windows\\system32\\lsass.exe"
33
34
35* Signatures Detected:
36
37 "Description": "Behavioural detection: Executable code extraction",
38 "Details":
39
40
41 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
42 "Details":
43
44
45 "Description": "Possible date expiration check, exits too soon after checking local time",
46 "Details":
47
48 "process": "7ObqwN4FqmU9.exe, PID 348"
49
50
51
52
53 "Description": "Detected script timer window indicative of sleep style evasion",
54 "Details":
55
56 "Window": "WSH-Timer"
57
58
59
60
61 "Description": "A process attempted to delay the analysis task.",
62 "Details":
63
64 "Process": "filename.exe tried to sleep 1204 seconds, actually delayed analysis time by 0 seconds"
65
66
67
68
69 "Description": "Reads data out of its own binary image",
70 "Details":
71
72 "self_read": "process: 7ObqwN4FqmU9.exe, pid: 348, offset: 0x00000000, length: 0x000e5000"
73
74
75 "self_read": "process: wscript.exe, pid: 2948, offset: 0x00000000, length: 0x00000040"
76
77
78 "self_read": "process: wscript.exe, pid: 2948, offset: 0x000000f0, length: 0x00000018"
79
80
81 "self_read": "process: wscript.exe, pid: 2948, offset: 0x000001e8, length: 0x00000078"
82
83
84 "self_read": "process: wscript.exe, pid: 2948, offset: 0x00018000, length: 0x00000020"
85
86
87 "self_read": "process: wscript.exe, pid: 2948, offset: 0x00018058, length: 0x00000018"
88
89
90 "self_read": "process: wscript.exe, pid: 2948, offset: 0x000181a8, length: 0x00000018"
91
92
93 "self_read": "process: wscript.exe, pid: 2948, offset: 0x00018470, length: 0x00000010"
94
95
96 "self_read": "process: wscript.exe, pid: 2948, offset: 0x00018640, length: 0x00000012"
97
98
99
100
101 "Description": "A process created a hidden window",
102 "Details":
103
104 "Process": "7ObqwN4FqmU9.exe -> C:\\Users\\user\\subfolder\\filename.vbs"
105
106
107 "Process": "7ObqwN4FqmU9.exe -> C:\\Users\\user\\subfolder\\filename.exe"
108
109
110
111
112 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
113 "Details":
114
115 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
116
117
118 "http_version_old": "HTTP traffic uses version 1.0"
119
120
121 "suspicious_request_iocs": "http://zjvvymy.com/jp101/five/fre.php"
122
123
124
125
126 "Description": "Performs some HTTP requests",
127 "Details":
128
129 "url_iocs": "http://zjvvymy.com/jp101/five/fre.php"
130
131
132
133
134 "Description": "A scripting utility was executed",
135 "Details":
136
137 "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\""
138
139
140
141
142 "Description": "Behavioural detection: Injection (Process Hollowing)",
143 "Details":
144
145 "Injection": "filename.exe(2364) -> filename.exe(2688)"
146
147
148
149
150 "Description": "Executed a process and injected code into it, probably while unpacking",
151 "Details":
152
153 "Injection": "filename.exe(2364) -> filename.exe(2688)"
154
155
156
157
158 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
159 "Details":
160
161 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 567423 times"
162
163
164
165
166 "Description": "Steals private information from local Internet browsers",
167 "Details":
168
169 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
170
171
172
173
174 "Description": "Installs itself for autorun at Windows startup",
175 "Details":
176
177 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name"
178
179
180 "data": "C:\\Users\\user\\subfolder\\filename.vbs -Dirra"
181
182
183
184
185 "Description": "Creates a hidden or system file",
186 "Details":
187
188 "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
189
190
191 "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
192
193
194
195
196 "Description": "CAPE detected the Loki malware family",
197 "Details":
198
199
200 "Description": "File has been identified by 16 Antiviruses on VirusTotal as malicious",
201 "Details":
202
203 "McAfee": "GenericRXIM-DX!202BFAAD50DE"
204
205
206 "Malwarebytes": "Trojan.MalPack.VB.Generic"
207
208
209 "Cybereason": "malicious.889cd6"
210
211
212 "Symantec": "ML.Attribute.HighConfidence"
213
214
215 "APEX": "Malicious"
216
217
218 "Endgame": "malicious (high confidence)"
219
220
221 "Invincea": "heuristic"
222
223
224 "FireEye": "Generic.mg.202bfaad50de3db2"
225
226
227 "Cyren": "W32/Wacatac.W.gen!Eldorado"
228
229
230 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
231
232
233 "AhnLab-V3": "Trojan/Win32.Inject.R289841"
234
235
236 "Acronis": "suspicious"
237
238
239 "Cylance": "Unsafe"
240
241
242 "ESET-NOD32": "a variant of Win32/Injector.EHOJ"
243
244
245 "Fortinet": "W32/Injector.EHNM!tr"
246
247
248 "Qihoo-360": "HEUR/QVM03.0.A57D.Malware.Gen"
249
250
251
252
253 "Description": "Creates a copy of itself",
254 "Details":
255
256 "copy": "C:\\Users\\user\\subfolder\\filename.exe"
257
258
259 "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
260
261
262
263
264 "Description": "Drops a binary and executes it",
265 "Details":
266
267 "binary": "C:\\Users\\user\\subfolder\\filename.exe"
268
269
270
271
272 "Description": "Harvests credentials from local FTP client softwares",
273 "Details":
274
275 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
276
277
278 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
279
280
281 "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
282
283
284 "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
285
286
287 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
288
289
290 "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
291
292
293 "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
294
295
296 "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
297
298
299 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
300
301
302 "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
303
304
305
306
307 "Description": "Harvests information related to installed instant messenger clients",
308 "Details":
309
310 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
311
312
313
314
315 "Description": "Harvests information related to installed mail clients",
316 "Details":
317
318 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
319
320
321 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
322
323
324 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
325
326
327 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
328
329
330 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
331
332
333 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
334
335
336 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
337
338
339 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
340
341
342 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
343
344
345 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
346
347
348 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
349
350
351 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
352
353
354 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
355
356
357 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
358
359
360 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
361
362
363 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
364
365
366 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
367
368
369 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
370
371
372 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
373
374
375 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
376
377
378 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
379
380
381 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
382
383
384 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
385
386
387 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
388
389
390 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
391
392
393 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
394
395
396 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
397
398
399 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
400
401
402 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
403
404
405 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
406
407
408 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
409
410
411 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
412
413
414 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
415
416
417 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
418
419
420 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
421
422
423
424
425 "Description": "Collects information to fingerprint the system",
426 "Details":
427
428
429 "Description": "Created network traffic indicative of malicious activity",
430 "Details":
431
432 "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
433
434
435 "signature": "ET TROJAN LokiBot Fake 404 Response"
436
437
438 "signature": "ET TROJAN LokiBot Checkin"
439
440
441 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
442
443
444 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
445
446
447 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
448
449
450 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
451
452
453
454
455
456* Started Service:
457 "VaultSvc"
458
459
460* Mutexes:
461 "Local\\ZoneAttributeCacheCounterMutex",
462 "Local\\ZonesCacheCounterMutex",
463 "Local\\ZonesLockedCacheCounterMutex",
464 "6EFA73A4746045B65DEE781E"
465
466
467* Modified Files:
468 "C:\\Users\\user\\subfolder\\filename.exe",
469 "C:\\Users\\user\\subfolder\\filename.vbs",
470 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
471 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
472
473
474* Deleted Files:
475 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
476 "C:\\Users\\user\\subfolder\\filename.exe"
477
478
479* Modified Registry Keys:
480 "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\axhBo109\\bufEfgfSeEm77",
481 "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\axhBo109\\bufEfgfSeEm77\\pE7Ok6f832",
482 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
483 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
484 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
485 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
486 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name"
487
488
489* Deleted Registry Keys:
490 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
491 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
492 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
493 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
494
495
496* DNS Communications:
497
498 "type": "A",
499 "request": "zjvvymy.com",
500 "answers":
501
502 "data": "47.88.102.244",
503 "type": "A"
504
505
506
507
508
509* Domains:
510
511 "ip": "47.88.102.244",
512 "domain": "zjvvymy.com"
513
514
515
516* Network Communication - ICMP:
517
518* Network Communication - HTTP:
519
520 "count": 2,
521 "body": "",
522 "uri": "http://zjvvymy.com/jp101/five/fre.php",
523 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
524 "method": "POST",
525 "host": "zjvvymy.com",
526 "version": "1.0",
527 "path": "/jp101/five/fre.php",
528 "data": "POST /jp101/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: zjvvymy.com\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: BFD4E154\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
529 "port": 80
530
531
532 "count": 20,
533 "body": "",
534 "uri": "http://zjvvymy.com/jp101/five/fre.php",
535 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
536 "method": "POST",
537 "host": "zjvvymy.com",
538 "version": "1.0",
539 "path": "/jp101/five/fre.php",
540 "data": "POST /jp101/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: zjvvymy.com\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: BFD4E154\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
541 "port": 80
542
543
544
545* Network Communication - SMTP:
546
547* Network Communication - Hosts:
548
549 "country_name": "United States",
550 "ip": "47.88.102.244",
551 "inaddrarpa": "",
552 "hostname": "zjvvymy.com"
553
554
555
556* Network Communication - IRC: