Tuesday, February 12, 2019

#lokibot

#lokibot

------------------------------
2/19/2019

https://www.virustotal.com/#/file/da30b124c95eda90524716d0bd4b5af608f50fa52b126f1720c38933c916eb2e/detection

Email w/ attachment Document.exe

Compiler:
- Microsoft Visual Basic(6.0)[Native]

Running behavior: (RUN AS ADMINISTRATOR)
- starts a child process with same name
- dns lookup to ubochiomaswifts.cf (104.24.109.185, 104.24.108.185)
- http post to ubochiomaswifts.cf/eshi/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)

Memory strings while Running:  ( https://pastebin.com/raw/zL04fvx5  )
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url ubochiomaswifts.cf/eshi/fre.php
- function names prefixed by "Crypt"


IDA Pro Behavior (RUN AS ADMINISTRATOR)

- 34F0000: The instruction at 0x34F0000 referenced memory at 0xE09092C9. The memory could not be written -> E09092C9 (exc.code c0000005, tid 968)

------------------------------
2/19/2019

https://www.virustotal.com/#/file/0d1c8154f0454b6a4ee8312f935e8af95a0765368488bed6f68f8fe443350537/detection

Email w/ attachment TT Advice.exe

Compiler:
- Microsoft Visual Basic(6.0)[Native]

Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself
- dns lookup to www.cashoutsquad.com (47.254.177.121)
- http post to www.cashoutsquad.com/motivate/minds/more/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)

Memory strings while Running:  ( https://pastebin.com/raw/RQUy268M )
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url awww.cashoutsquad.com/motivate/minds/more/fre.php
- function names prefixed by "Crypt"


IDA Pro Behavior (RUN AS ADMINISTRATOR)
- 0: The instruction at 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000005, tid 676)


------------------------------
2/12/2019

https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection

hxxp://gemaco[.]com[.]ve/js/file/coc.exe

Compiler:
- Microsoft Visual Basic(6.0)[Native]

Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself, deletes original copy of itself, new copy of itself very small in memory, very low cpu usage for long time
- dns lookup to archanadiagnostics.com (172.96.12.126)
- http post to archanadiagnostics.com/css/coco/five/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)

Memory strings while Running:
- very small capture
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url archanadiagnostics.com/css/coco/five/fre.php
- lots of decimal number prefixed by Gu, Hu, Cu, etc.
- function names prefixed by "Crypt"


IDA Pro Behavior (RUN AS ADMINISTRATOR)
- crashes with 755FC54F: Floating point inexact result (exc.code c000008f, tid 1228)

------------------------------

No comments:

Post a Comment