2018-01-08 - LOKIBOT INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-01-08-Lokibot-infection-traffic.pcap.zip   3.9 kB (3,890 bytes)

• 2018-01-08-Lokibot-infection-traffic.pcap   (14,662 bytes)

• 2018-01-08-Lokibot-email-and-malware.zip   1.5 MB (1,450,229 bytes)

• 2018-01-08-Lokibot-malspam-1531-UTC.eml   (646,730 bytes)
• swift copia rapida.Ace   (468,346 bytes)
• copia rapida.exe   (882,176 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain:

• 18panels[.]info

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

• Date:  Monday, 2018-01-08 at 15:32 UTC
• Subject:  Fwd: Pago doc
• From:  "Ana Luna <luna@larosadelmonte[.]com>"<luna@larosadelmonte[.]com>
• Attachment name:  swift copia rapida.Ace

 

Shown above:  Attached ".Ace" file is actually an RAR archive.

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

POST-INFECTION TRAFFIC:

• 104.24.118[.]140 port 80 - 18panels[.]info - POST /jemp/fre.php

 

MALWARE

ATTACHMENT FROM THE MALSPAM:

• SHA256 hash:  6c9842a60273cedaeac6cabbe83a364cf514fdc1b6c57845d6a6a16ebbf91f84
  File size:  468,346 bytes
  File name:  swift copia rapida.Ace
  NOTE:  This is a RAR archive, not a ACE file.

LOKIBOT MALWARE EXTRACTED FROM THE RAR ARCHIVE:

• SHA256 hash:  5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe
  File size:  882,176 bytes
  File name:  swift copia rapida.exe
  File location:  C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

• Registry Key:  HKCU\[non-ASCII characters]
• Value name:  C72387
• Value Type:  REG_EXPAND_SZ
• Value Data:  APPDATA\C72387\7571BA.exe

 

IMAGES

Shown above:  Registry key and associated file on the infected Windows host.

 

Click here to return to the main page.