2017-06-07 - LOKIBOT INFECTION

NOTICE:

ASSOCIATED FILES:

  • 2017-06-07-Lokibot-infection-traffic.pcap   (146,597 bytes)
  • 2017-06-07-Lokibot-malspam-1249-UTC.eml   (17,271 bytes)
  • 2017-06-07-https-paste.ee-r-CBooD-0.txt   (169,911 bytes)
  • 7571BA.exe   (20,992 bytes)
  • Schedule_order.doc   (14,286 bytes)
  • Schedule_order.r03   (11,487 bytes)
  • price_inv_2364723.vbs   (593 bytes)

 

EMAILS


Shown above:  Screen shot from the email.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document in RAR archive from the malspam.

 


Shown above:  Contents of the embedded .js file from the Word document.

 


Shown above:  HTTPS request generated by the embedded .js file.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

RAR ARCHIVE FROM THE EMAIL:

MALICIOUS WORD DOCUMENT EXTRACTED FROM THE RAR ARCHIVE:

SUSPICIOUS FILE NOTED ON THE INFECTED HOST:


Shown above:  Updated Windows registry begs the question, "Why would a legitimate file be used in this manner?"

 

Click here to return to the main page.