2018-06-08 LokiBot Malspam

Packet Analysis

For something different today, found some DHL inspired LokiBot malspam in the email filters. LokiBot is considered an information stealer as it looks through the system for any credentials that it can grab. As Brad mentioned in an older SANS ISC blog entry, the emails that LokiBot uses vary and does not seem to follow any kind of pattern. The pattern is noticeable when you look at the infection (this will be discussed later). In the meantime, if you are wanting to read a great detailed article/breakdown on LokiBot, check out this paper from Rob Pantazopoulos via the SANS Reading Room.

Artifacts from this investigation can be found below in my Github repo located here.

IOCs:
=====
78.128.6[.]231 / kc3nj.loan (POST /3kc/xxx/xxx/fre.php)
3nj.loan (Found in strings of a running process)

Artifacts:
==========
File name: DHL Shipment Delivery Service.ace
File size: 257KB
File path: NA
MD5 hash: 36592df9bb484f3c4f7a807acc3afe9a
Virustotal: http://www.virustotal.com/#/file/9bb8c2be2905ef380dc5ba1e7e743f8a1f7da71cd0ed92fa03d544a2e2ba15c7/detection
Detection ratio: 19 / 60
First Detected: 2018-06-08 02:31

File name: DHL Shipment Delivery Service.scr
File size: 550KB
File path: NA
MD5 hash: de076b4bd0335f369b87ca08cb404e22
Virustotal: NA
Any.Run: http://app.any.run/tasks/415afce9-eb5a-4cd9-830c-16859dab941b (Failed to execute)

File name: 3B859C.exe
File size: 550KB
File path: C:\Users\%username%\AppData\Roaming\ABE9E3
MD5 hash: de076b4bd0335f369b87ca08cb404e22
Virustotal: NA
Any.Run: http://app.any.run/tasks/098c3a17-d165-4f9a-9419-61b1485c4f92

File name: 3B859C.hdb
File size: 4B
File path: C:\Users\%username%\AppData\Roaming\ABE9E3
MD5 hash: a4bcc1b1fd35c41717612476ecfb131e
Virustotal: NA

Analysis:
=========
This is a pretty straight forward LokiBot infection. I saw this because of some patterns that are exhibited by the malware:

– The User-Agent is always “User-Agent: Mozilla/4.08 (Charon; Inferno)”
– The URL ends in “fre.php”
– Within the traffic there is a string (seen below) labeled “ckav.ru”
– The POSTs send data, but always present a “404 Not Found” error message

Once the file is extracted from the ACE archive and executed it spins up to later use process hollowing to create a child processes that becomes orphaned (everything is named the same). The remaining two processes are what proceeds to scan the system looking for credentials and to ship that back to the compromised server via some POSTS that are performed.

The following is a snippet that I pulled from PID 2380 via strings.

%s\%s\User Data\Default\Login Data
%s\%s\User Data\Default\Web Data
%s%s\Login Data
%s%s\Default\Login Data
Comodo\Dragon
MapleStudio\ChromePlus
Google\Chrome
Nichrome
RockMelt
Spark
Chromium
Titan Browser
Torch
Yandex\YandexBrowser
Epic Privacy Browser
CocCoc\Browser
Vivaldi
Comodo\Chromodo
Superbird
Coowon\Coowon
Mustang Browser
360Browser\Browser
CatalinaGroup\Citrio
Google\Chrome SxS
Orbitum
Iridium
\Opera\Opera Next\data
\Opera Software\Opera Stable
\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
vaultcli.dll
VaultEnumerateItems
VaultEnumerateVaults
VaultFree
VaultGetItem
VaultOpenVault
VaultCloseVault
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
%s%02X
file:///
Software\Microsoft\Internet Explorer\TypedURLs
SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
hostname
encryptedUsername
encryptedPassword
%s\logins.json
%s\prefs.js
%s\signons.sqlite
signons.txt
signons2.txt
signons3.txt
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\Profiles\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\Profiles\%s
%s\Flock\Browser\profiles.ini
%s\Flock\Browser\Profiles\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\Profiles\%s
%s\K-Meleon\profiles.ini
%s\K-Meleon\%s
%s\Comodo\IceDragon\profiles.ini
%s\Comodo\IceDragon\Profiles\%s
%s\NETGATE Technologies\BlackHawk\profiles.ini
%s\NETGATE Technologies\BlackHawk\Profiles\%s
%s\Postbox\profiles.ini
%s\Postbox\Profiles\%s
%s\8pecxstudios\Cyberfox\profiles.ini
%s\8pecxstudios\Cyberfox\Profiles\%s
%s\Moonchild Productions\Pale Moon\profiles.ini
%s\Moonchild Productions\Pale Moon\Profiles\%s
%s\FossaMail\profiles.ini
%s\FossaMail\Profiles\%s
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
Profile%i
Path
Profiles/
PATH
%s\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_CheckUserPassword
SECITEM_FreeItem
sqlite3.dll
mozsqlite3.dll
nss3.dll
sqlite3_finalize
sqlite3_step
sqlite3_close
sqlite3_column_text
sqlite3_open16
sqlite3_prepare_v2
sqlite3_prepare
CurrentVersion
SOFTWARE\Mozilla\Mozilla Firefox
%s\%s\Main
Install Directory
PathToExe
SOFTWARE\Mozilla\Mozilla Thunderbird
SOFTWARE\Mozilla\FossaMail
SOFTWARE\Postbox\Postbox
SOFTWARE\Mozilla\Flock
SOFTWARE\Flock\Flock
(x86)
%ProgramW6432%
%s\NETGATE\Black Hawk
SOFTWARE\Mozilla\Pale Moon
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
SOFTWARE\K-Meleon
SetupPath
SOFTWARE\ComodoGroup\IceDragon\Setup
RootDir
SOFTWARE\8pecxstudios\Cyberfox86
SOFTWARE\8pecxstudios\Cyberfox
SOFTWARE\mozilla.org\SeaMonkey
%s\Mozilla\Profiles
SOFTWARE\Mozilla\SeaMonkey
SOFTWARE\Mozilla\Waterfox
ffffff
firefox.exe
kernel32.dll
CloseHandle
CreateFileW
WriteFile
ExitProcess
Crypt32.dll
CryptStringToBinaryA
Shlwapi.dll
StrStrA
GetProcAddress
LoadLibraryW
%s\Opera
wand.dat
X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb
form_password_control
form_username_control
Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
%s\QupZilla\profiles\default\browsedata.db
array
dict
data
string
Server
InstallDir
SOFTWARE\Apple Computer, Inc.\Safari
%s\Apple Computer\Preferences\keychain.plist
%s\Apple Application Support\plutil.exe
.xml
-convert xml1 -s -o %s "%s"
%s\Data\AccCfg\Accounts.tdat
%s\Storage
Account.rec0
%s\Foxmail\mail
*.stg
%SYSTEMDRIVE%
Foxmail*
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
Software\IncrediMail\Identities
UserName
Passwd
POP3Server
POP3Port
Email
SMTP Email Address
SMTP Server
SMTP User Name
SMTP User
POP3 Server
POP3 User Name
POP3 User
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
IMAP User
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
%s\32BitFtp.TMP
%s\32BitFtp.ini
%s\Estsoft\ALFTP\ESTdb2.dat
%s\site.xml
%s\BitKinex\bitkinex.ds
*.tlp
*.bscp
LastUsedProfile
Software\Bitvise\BvSshClient
%s\BlazeFtp\site.dat
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastUser
LastAddress
LastPort
Server
Password
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
settings
name
value
%s\Cyberduck
user.config
%s\iterate_GmbH
%s\EasyFTP\data
server
username
protocol
%s\ExpanDrive
*favorites.js
drives.js
%s%c
User
HostName
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
%s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
%s\FileZilla\Filezilla.xml
%s\FileZilla\filezilla.xml
%s\FileZilla\recentservers.xml
%s\FileZilla\sitemanager.xml
%s\FlashFXP
*Sites.dat
*quick.dat
FtpServer
FtpUserName
FtpPassword
_FtpPassword
Software\NCH Software\Fling\Accounts
%s\FreshWebmaster\FreshFTP\FtpSites.SMF
%s\FTPBox\profiles.conf
%s\FTPGetter\Profile\servers.xml
%s\FTPGetter\servers.xml
%s\FTPInfo\ServerList.xml
%s\FTPInfo\ServerList.cfg
%s\FTP Navigator\Ftplist.txt
%s\FTP Now\sites.xml
%s\FTPShell\ftpshell.fsi
%s\.config\fullsync\profiles.xml
%s\DeluxeFTP\sites.xml
%s\GoFTP\settings\Connections.txt
JaSFtp
AbleFTP
Automize
%s\%s%i\encPwd.jsd
%s\%s%i\data\settings\sshProfiles-j.jsd
%s\%s%i\data\settings\ftpProfiles-j.jsd
Pass
Host
Port
Software\LinasFTP\Site Manager
%s\oZone3D\MyFTP\myftp.ini
%s\NetDrive\NDSites.ini
%s\NetDrive2\drives.dat
%s\Fastream NETFile\My FTP Links
%s\NexusFile\userdata\ftpsite.ini
%s\NexusFile\ftpsite.ini
%s\INSoftware\NovaFTP\NovaFTP.db
%s\Notepad++\plugins\config\NppFTP\NppFTP.xml
%s\Odin Secure FTP Expert\QFDefault.QFQ
%s\Odin Secure FTP Expert\SiteInfo.QFP
PublicKeyFile
TerminalType
PortNumber
Software\9bis.com\KiTTY\Sessions
Software\SimonTatham\PuTTY\Sessions
_dec
%s_dec
lsasrv.dll
LsaICryptUnprotectData
lsass.exe
%s\Microsoft\Credentials
Config Path
Software\VanDyke\SecureFX
%s\Sessions
*.ini
Port
UserName
Password
%s\SftpNetDrive
*.cfg
%s\Sherrod Computers\sherrod FTP\favorites
#document.favoriteManager*
%s\SmartFTP
{*.xml
%s\Staff-FTP\sites.ini
%s\Steed\bookmarks.txt
%s\SuperPutty
Sessions*
sftp://
ftp://
ftps://
http://
http://
{.:CRED:.}
{CREN}
{CRDB}
Profiles
%s\Syncovery
Syncovery.ini
%s\wcx_ftp.ini
%s\GHISLER\wcx_ftp.ini
FtpIniName
Software\Ghisler\Total Commander
%s\UltraFXP\sites.xml
%s\WinFtp Client\Favorites.dat
FSProtocol
Software\Martin Prikryl
%s\WS_FTP\WS_FTP.INI
%s\WS_FTP.INI
%s\Ipswitch
ws_ftp.ini
%s\NetSarang\Xftp\Sessions
*xfp
MAC=%02X%02X%02XINSTALL=%08X%08Xk
1?0`
%s\%s\%s.exe

Leave a Reply

Your email address will not be published. Required fields are marked *