2018-01-08 - LOKIBOT INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2018-01-08-Lokibot-infection-traffic.pcap.zip 3.9 kB (3,890 bytes)
- 2018-01-08-Lokibot-infection-traffic.pcap (14,662 bytes)
- 2018-01-08-Lokibot-email-and-malware.zip 1.5 MB (1,450,229 bytes)
- 2018-01-08-Lokibot-malspam-1531-UTC.eml (646,730 bytes)
- swift copia rapida.Ace (468,346 bytes)
- copia rapida.exe (882,176 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domain:
- 18panels[.]info

Shown above:  Screenshot of the email.
EMAIL INFORMATION:
- Date: Monday, 2018-01-08 at 15:32 UTC
- Subject: Fwd: Pago doc
- From: "Ana Luna <luna@larosadelmonte[.]com>"<luna@larosadelmonte[.]com>
- Attachment name: swift copia rapida.Ace

Shown above:  Attached ".Ace" file is actually an RAR archive.
TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.
POST-INFECTION TRAFFIC:
- 104.24.118[.]140 port 80 - 18panels[.]info - POST /jemp/fre.php
MALWARE
ATTACHMENT FROM THE MALSPAM:
- SHA256 hash:  6c9842a60273cedaeac6cabbe83a364cf514fdc1b6c57845d6a6a16ebbf91f84
 File size: 468,346 bytes
 File name: swift copia rapida.Ace
 NOTE: This is a RAR archive, not a ACE file.
LOKIBOT MALWARE EXTRACTED FROM THE RAR ARCHIVE:
- SHA256 hash:  5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe
 File size: 882,176 bytes
 File name: swift copia rapida.exe
 File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
WINDOWS REGISTRY ENTRY FOR PERSISTENCE:
- Registry Key: HKCU\[non-ASCII characters]
- Value name: C72387
- Value Type: REG_EXPAND_SZ
- Value Data: APPDATA\C72387\7571BA.exe
IMAGES

Shown above:  Registry key and associated file on the infected Windows host.
Click here to return to the main page.
