Malware-Traffic-Analysis.net - 2017-06-12

2017-06-12 - LOKIBOT INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-06-12-Lokibot-infection-traffic.pcap (9,334 bytes)

2017-06-12-Lokibot-malspam-0137-UTC.eml (213,873 bytes)

PO12062017.ace (157,430 bytes)

PO12062017.exe (327,680 bytes)

NOTES:

Somewhat similar to the Lokibot activity I documented last week on 2017-06-07
Today the email had an attached zip archive containing was a Word document with an embedded .js file that downloaded Lokibot.
This time it was an ACE archive attachment that contained the Windows EXE for Lokibot.

Shown above: Screen shot from the email.

EMAIL HEADERS:

Shown above: Malicious executable in ACE archive from the malspam.

Shown above: Traffic from the infection filtered in Wireshark.

ASSOCIATED DOMAINS:

192.99.2[.]94 port 80 - 192.99.2[.]94 - POST /~sadrenam/mmt/Panel/five/fre.php

ACE ARCHIVE FROM THE EMAIL:

SHA256 hash: 42306a26580cf29068f1a716aaa61d1a4921b2206f3e8234d86d6fcc607d7be8
File size: 157,430 bytes
File name: PO12062017.ace

MALICIOUS BINARY EXTRACTED FROM THE ACE ARCHIVE (LOKI BOT):

SHA256 hash: 7e9c05cff0e0ac10640100c801c3f56470fb6166bbf4e67fa28c63af683458e4
File size: 327,680 bytes
File name: PO12062017.exe
File location on the infected host: C:\Users\[username]\AppData\Roaming\[subfolder]\[filename].exe

ADDITIONAL FILE NOTED ON THE INFECTED HOST:

SHA256 hash: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
File size: 20,992 bytes
File description: Appears to be a copy of the legitimate Microsoft file svchost.exe

Shown above: Updated Windows registry with the same file as last time.

Click here to return to the main page.