· 6 years ago · Sep 10, 2019, 12:34 PM
1
2* ID: 1477
3* MalFamily: "Lokibot"
4
5* MalScore: 10.0
6
7* File Name: "Loki_c1b4c14fe03324c8ab0a722385989939.exe"
8* File Size: 1126400
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "94b7ac08562f1099d6ae6a3179b9c145e3e434f2927011ec8edbac8271ca3b98"
11* MD5: "c1b4c14fe03324c8ab0a722385989939"
12* SHA1: "82a427b4039d1755a82b9eef6cbf71f366817ed0"
13* SHA512: "aab0aaec84e4460ccdfdc03d2165d1ca098bff630f016cc2ee70fbe1f1dd6e6b4d900c103d86437074996a4a3eb87d1d3062988a0461790eebac281695f1f73e"
14* CRC32: "79F3907C"
15* SSDEEP: "6144:NX0IlQyFoWyanSeAntuqTEZZ1gcu/+4eAnP:N0IlFNyaBsNTEnO7e"
16
17* Process Execution:
18 "mPNKnpt907is.exe",
19 "wscript.exe",
20 "filename.exe",
21 "filename.exe",
22 "explorer.exe",
23 "services.exe",
24 "lsass.exe",
25 "WmiApSrv.exe",
26 "svchost.exe",
27 "taskhost.exe",
28 "WmiPrvSE.exe"
29
30
31* Executed Commands:
32 "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\"",
33 "C:\\Users\\user\\subfolder\\filename.vbs ",
34 "\"C:\\Users\\user\\subfolder\\filename.exe\"",
35 "C:\\Users\\user\\subfolder\\filename.exe ",
36 "C:\\Windows\\system32\\lsass.exe",
37 "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
38 "C:\\Windows\\system32\\svchost.exe -k netsvcs"
39
40
41* Signatures Detected:
42
43 "Description": "Behavioural detection: Executable code extraction",
44 "Details":
45
46
47 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
48 "Details":
49
50
51 "Description": "Possible date expiration check, exits too soon after checking local time",
52 "Details":
53
54 "process": "mPNKnpt907is.exe, PID 2540"
55
56
57
58
59 "Description": "Detected script timer window indicative of sleep style evasion",
60 "Details":
61
62 "Window": "WSH-Timer"
63
64
65
66
67 "Description": "Reads data out of its own binary image",
68 "Details":
69
70 "self_read": "process: mPNKnpt907is.exe, pid: 2540, offset: 0x00000000, length: 0x00113000"
71
72
73 "self_read": "process: wscript.exe, pid: 1856, offset: 0x00000000, length: 0x00000040"
74
75
76 "self_read": "process: wscript.exe, pid: 1856, offset: 0x000000f0, length: 0x00000018"
77
78
79 "self_read": "process: wscript.exe, pid: 1856, offset: 0x000001e8, length: 0x00000078"
80
81
82 "self_read": "process: wscript.exe, pid: 1856, offset: 0x00018000, length: 0x00000020"
83
84
85 "self_read": "process: wscript.exe, pid: 1856, offset: 0x00018058, length: 0x00000018"
86
87
88 "self_read": "process: wscript.exe, pid: 1856, offset: 0x000181a8, length: 0x00000018"
89
90
91 "self_read": "process: wscript.exe, pid: 1856, offset: 0x00018470, length: 0x00000010"
92
93
94 "self_read": "process: wscript.exe, pid: 1856, offset: 0x00018640, length: 0x00000012"
95
96
97
98
99 "Description": "A process created a hidden window",
100 "Details":
101
102 "Process": "mPNKnpt907is.exe -> C:\\Users\\user\\subfolder\\filename.vbs"
103
104
105 "Process": "mPNKnpt907is.exe -> C:\\Users\\user\\subfolder\\filename.exe"
106
107
108
109
110 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
111 "Details":
112
113 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
114
115
116 "http_version_old": "HTTP traffic uses version 1.0"
117
118
119 "suspicious_request_iocs": "http://zjvvymy.com/jp101/five/fre.php"
120
121
122
123
124 "Description": "Performs some HTTP requests",
125 "Details":
126
127 "url_iocs": "http://zjvvymy.com/jp101/five/fre.php"
128
129
130
131
132 "Description": "A scripting utility was executed",
133 "Details":
134
135 "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\""
136
137
138
139
140 "Description": "Behavioural detection: Injection (Process Hollowing)",
141 "Details":
142
143 "Injection": "filename.exe(2724) -> filename.exe(3048)"
144
145
146
147
148 "Description": "Executed a process and injected code into it, probably while unpacking",
149 "Details":
150
151 "Injection": "filename.exe(2724) -> filename.exe(3048)"
152
153
154
155
156 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
157 "Details":
158
159 "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 17181402 times"
160
161
162
163
164 "Description": "Steals private information from local Internet browsers",
165 "Details":
166
167 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
168
169
170
171
172 "Description": "Installs itself for autorun at Windows startup",
173 "Details":
174
175 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name"
176
177
178 "data": "C:\\Users\\user\\subfolder\\filename.vbs -Dirra"
179
180
181
182
183 "Description": "Creates a hidden or system file",
184 "Details":
185
186 "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
187
188
189 "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
190
191
192
193
194 "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
195 "Details":
196
197 "Malwarebytes": "Trojan.MalPack.VB.Generic"
198
199
200 "Cyren": "W32/VBKrypt.WH.gen!Eldorado"
201
202
203 "Symantec": "ML.Attribute.HighConfidence"
204
205
206 "ESET-NOD32": "a variant of Win32/Injector.EHQE"
207
208
209 "APEX": "Malicious"
210
211
212 "Paloalto": "generic.ml"
213
214
215 "Kaspersky": "UDS:DangerousObject.Multi.Generic"
216
217
218 "Avast": "FileRepMalware"
219
220
221 "Sophos": "Mal/FareitVB-N"
222
223
224 "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
225
226
227 "AhnLab-V3": "Trojan/Win32.VBKrypt.R290199"
228
229
230 "Acronis": "suspicious"
231
232
233 "Fortinet": "W32/Injector.EHNM!tr"
234
235
236 "AVG": "FileRepMalware"
237
238
239 "Qihoo-360": "HEUR/QVM03.0.AFAA.Malware.Gen"
240
241
242
243
244 "Description": "Creates a copy of itself",
245 "Details":
246
247 "copy": "C:\\Users\\user\\subfolder\\filename.exe"
248
249
250 "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
251
252
253
254
255 "Description": "Drops a binary and executes it",
256 "Details":
257
258 "binary": "C:\\Users\\user\\subfolder\\filename.exe"
259
260
261
262
263 "Description": "Harvests credentials from local FTP client softwares",
264 "Details":
265
266 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
267
268
269 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
270
271
272 "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
273
274
275 "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
276
277
278 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
279
280
281 "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
282
283
284 "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
285
286
287 "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
288
289
290 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
291
292
293 "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
294
295
296
297
298 "Description": "Harvests information related to installed instant messenger clients",
299 "Details":
300
301 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
302
303
304
305
306 "Description": "Harvests information related to installed mail clients",
307 "Details":
308
309 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
310
311
312 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
313
314
315 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
316
317
318 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
319
320
321 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
322
323
324 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
325
326
327 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
328
329
330 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
331
332
333 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
334
335
336 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
337
338
339 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
340
341
342 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
343
344
345 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
346
347
348 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
349
350
351 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
352
353
354 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
355
356
357 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
358
359
360 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
361
362
363 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
364
365
366 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
367
368
369 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
370
371
372 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
373
374
375 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
376
377
378 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
379
380
381 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
382
383
384 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
385
386
387 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
388
389
390 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
391
392
393 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
394
395
396 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
397
398
399 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
400
401
402 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
403
404
405 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
406
407
408 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
409
410
411 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
412
413
414
415
416 "Description": "Collects information to fingerprint the system",
417 "Details":
418
419
420 "Description": "Created network traffic indicative of malicious activity",
421 "Details":
422
423 "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
424
425
426 "signature": "ET TROJAN LokiBot Checkin"
427
428
429 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
430
431
432 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
433
434
435 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
436
437
438 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
439
440
441
442
443
444* Started Service:
445 "VaultSvc",
446 "wmiApSrv"
447
448
449* Mutexes:
450 "Local\\ZoneAttributeCacheCounterMutex",
451 "Local\\ZonesCacheCounterMutex",
452 "Local\\ZonesLockedCacheCounterMutex",
453 "6EFA73A4746045B65DEE781E",
454 "Global\\RefreshRA_Mutex_Lib",
455 "Global\\RefreshRA_Mutex",
456 "Global\\RefreshRA_Mutex_Flag",
457 "Global\\WmiApSrv"
458
459
460* Modified Files:
461 "C:\\Users\\user\\subfolder\\filename.exe",
462 "C:\\Users\\user\\subfolder\\filename.vbs",
463 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
464 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
465 "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
466
467
468* Deleted Files:
469 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
470 "C:\\Users\\user\\subfolder\\filename.exe"
471
472
473* Modified Registry Keys:
474 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
475 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
476 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
477 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
478 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name",
479 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
480 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
481 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
482
483
484* Deleted Registry Keys:
485 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
486 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
487 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
488 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
489
490
491* DNS Communications:
492
493 "type": "A",
494 "request": "zjvvymy.com",
495 "answers":
496
497 "data": "161.117.182.74",
498 "type": "A"
499
500
501
502
503
504* Domains:
505
506 "ip": "161.117.182.74",
507 "domain": "zjvvymy.com"
508
509
510
511* Network Communication - ICMP:
512
513* Network Communication - HTTP:
514
515 "count": 2,
516 "body": "",
517 "uri": "http://zjvvymy.com/jp101/five/fre.php",
518 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
519 "method": "POST",
520 "host": "zjvvymy.com",
521 "version": "1.0",
522 "path": "/jp101/five/fre.php",
523 "data": "POST /jp101/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: zjvvymy.com\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: BFD4E154\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
524 "port": 80
525
526
527 "count": 1,
528 "body": "",
529 "uri": "http://zjvvymy.com/jp101/five/fre.php",
530 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
531 "method": "POST",
532 "host": "zjvvymy.com",
533 "version": "1.0",
534 "path": "/jp101/five/fre.php",
535 "data": "POST /jp101/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: zjvvymy.com\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: BFD4E154\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
536 "port": 80
537
538
539
540* Network Communication - SMTP:
541
542* Network Communication - Hosts:
543
544 "country_name": "Singapore",
545 "ip": "161.117.182.74",
546 "inaddrarpa": "",
547 "hostname": "zjvvymy.com"
548
549
550
551* Network Communication - IRC: