2018-01-08 - MALSPAM PUSHING LOKI BOT MALWARE

ASSOCIATED FILES:

  • 2018-01-08-Loki-Bot-traffic.pcap   (14,662 bytes)
  • 2018-01-08-malspam-pushing-Loki-Bot-1531-UTC.txt   (646,730 bytes)
  • swift copia rapida.Ace   (468,346 bytes)
  • copia rapida.exe   (882,176 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Attached ".Ace" file is actually an RAR archive.

 

TRAFFIC


Shown above:  Infection traffic in Wireshark.

 

POST-INFECTION TRAFFIC:

 

MALWARE

ATTACHMENT FROM THE MALSPAM:

LOKI BOT MALWARE EXTRACTED FROM THE RAR ARCHIVE:

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

 

IMAGES


Shown above:  Registry key and associated file on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.