2018-01-08 - MALSPAM PUSHING LOKI BOT MALWARE
ASSOCIATED FILES:
- Zip archive of the pcap: 2018-01-08-Loki-Bot-traffic.pcap.zip 3.9 kB (3,872 bytes)
- 2018-01-08-Loki-Bot-traffic.pcap (14,662 bytes)
- Zip archive of the email and malware: 2018-01-08-Loki-Bot-email-and-malware.zip 1.4 MB (1,449,823 bytes)
- 2018-01-08-malspam-pushing-Loki-Bot-1531-UTC.txt (646,730 bytes)
- swift copia rapida.Ace (468,346 bytes)
- copia rapida.exe (882,176 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domain:
- 18panels.info
Shown above: Screenshot of the email.
EMAIL INFORMATION:
- Date: Monday, 2018-01-08 at 15:32 UTC
- Subject: Fwd: Pago doc
- From: "Ana Luna <luna@larosadelmonte.com>"<luna@larosadelmonte.com>
- Attachment name: swift copia rapida.Ace
Shown above: Attached ".Ace" file is actually an RAR archive.
TRAFFIC
Shown above: Infection traffic in Wireshark.
POST-INFECTION TRAFFIC:
- 104.24.118.140 port 80 - 18panels.info - POST /jemp/fre.php
MALWARE
ATTACHMENT FROM THE MALSPAM:
- SHA256 hash: 6c9842a60273cedaeac6cabbe83a364cf514fdc1b6c57845d6a6a16ebbf91f84
File size: 468,346 bytes
File name: swift copia rapida.Ace
NOTE: This is a RAR archive, not a ACE file.
LOKI BOT MALWARE EXTRACTED FROM THE RAR ARCHIVE:
- SHA256 hash: 5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe
File size: 882,176 bytes
File name: swift copia rapida.exe
File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
WINDOWS REGISTRY ENTRY FOR PERSISTENCE:
- Registry Key: HKCU\[non-ASCII characters]
- Value name: C72387
- Value Type: REG_EXPAND_SZ
- Value Data: APPDATA\C72387\7571BA.exe
IMAGES
Shown above: Registry key and associated file on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2018-01-08-Loki-Bot-traffic.pcap.zip 3.9 kB (3,872 bytes)
- Zip archive of the email and malware: 2018-01-08-Loki-Bot-email-and-malware.zip 1.4 MB (1,449,823 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.