2017-06-07 - LOKIBOT INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-07-Lokibot-infection-traffic.pcap.zip   132 kB (132,275 bytes)

• 2017-06-07-Lokibot-infection-traffic.pcap   (146,597 bytes)

• 2017-06-07-Lokibot-malspam-1249-UTC.eml.zip   13.1 kB (13,084 bytes)

• 2017-06-07-Lokibot-malspam-1249-UTC.eml   (17,271 bytes)

• 2017-06-07-malware-from-Lokibot-infection.zip   156.6 kB (156,632 bytes)

• 2017-06-07-https-paste.ee-r-CBooD-0.txt   (169,911 bytes)
• 7571BA.exe   (20,992 bytes)
• Schedule_order.doc   (14,286 bytes)
• Schedule_order.r03   (11,487 bytes)
• price_inv_2364723.vbs   (593 bytes)

 

EMAILS

Shown above:  Screen shot from the email.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-07 at 12:49 UTC
• From:  "Besmido Lliladhar" <spurchasing@besmindo[.]com>
• Subject:  Re:Purchase request
• Attachment:  Schedule_order.r03   [RAR archive]

 

Shown above:  Malicious Word document in RAR archive from the malspam.

 

Shown above:  Contents of the embedded .js file from the Word document.

 

Shown above:  HTTPS request generated by the embedded .js file.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

• paste[.]ee - GET /r/CBooD/0   [HTTPS over port 443]
• 111.90.139[.]246 - deniumwears[.]xyz - POST /bolt/bolt.php

 

FILE HASHES

RAR ARCHIVE FROM THE EMAIL:

• SHA256 hash:  2bebe4a5acb9940a295a167aff62e81e9c11b55051450e1f8e979ff63d964071
  File name:  Schedule_order.r03
  File size:  11,487 bytes

MALICIOUS WORD DOCUMENT EXTRACTED FROM THE RAR ARCHIVE:

• SHA256 hash:  326030d71dfb77f98d37eea3498d7dadd76c5ab59bd5fe279298c184ac3e08fa
  File name:  Schedule_order.doc
  File size:  14,286 bytes

SUSPICIOUS FILE NOTED ON THE INFECTED HOST:

• SHA256 hash:  121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
  File location:  C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
  File size:  20,992 bytes
  File description:  Appears to be a copy of the legitimate Microsoft file svchost.exe

Shown above:  Updated Windows registry begs the question, "Why would a legitimate file be used in this manner?"

 

Click here to return to the main page.