Monday, October 25, 2021

LOKI Bot

 It's been a few years since I used this blog. I thought I should, going forward write some semi recurring posts about random things that I spend about an hour on (mostly because that's about the time I have for random things)

I do learn rather easy, but I "forget" as easily as well, at least if I don't use the knowledge on a more day today basis. 

During the days "reversing" mostly stops with C2 info and some characteristics as that's what needed and because there is tons of other things to be looked at.... Hopefully, given a few "hours" I will refresh some knowledge at least...


I picked a random sample to look at for my first post.


- Sample Name: vbc.exe

- SHA1: 5a4a29b0980ea0b5b42da76d878102bf7a00807e

-Icon: 


If we start off with running the sample in a controlled environment. Tracking all the changes made to the filesystem and traffic generated, we can quickly see that it (the sample) tries to reach out to the following domain:   

http://secure01-redirect.net/   (http://secure01-redirect.net/ga13/fre.php)

This domain is also later visible during debugging.

During execution the original sample is deleted and move to a hidden folder under the users %APPDATA%\Roaming\<"random named catalogue, six characters"> folder, more on that later on.

By looking at the API imports we could have guessed that something like that was able to happen:

MoveFileA and DeleteFileW    

The sample was not stripped of it's debug information so we can learn the following:

Age: 19

Timestamp: Sun Sep 26 22:56:51 2021 (For reference the compiler timestamp says: Mon Jan 25 04:24:02 2021, so possible time stomping in play)

 PDB path: c:\vobevipusilolo59.pdb

This sample applies a variety of anti debugging measures, like:

RaiseException, GetTickCount, IsDebuggerPresent, UnhandledExceptionFilter etc

The value from which the "moved" sample and directory got it's name from (it's most likely derived from the infected host)

    "37FAB5D71BC2B23EAF4E28C0"

Although visible in the traffic from the malware infection, performed earlier it's also rather easy find the same User Agent information during debugging:

 

And given the UA, it point's to this sample being LOKI.

Besides the above, here is a long list of software that is being targeted, probably corresponds to all possible variants of certain software types found on download.com =)

Browsers:

  • Comodo IceDragon
  • Maple Studio Chrome Plus
  • Google Chrome
  • Nichrome
  • RockMelt
  • Spark
  • Chromiu
  • Titan Browser
  • Torch
  • YandexBrowser
  • Epic Privacy Browser
  • CocCoc Browser
  • Vivaldi
  • Chromodo
  • Superbird
  • Coowon
  • Mustang Browser
  • 360Browser
  • Citrio
  • Chrome SxS
  • Orbitum
  • Iridium
  • Opera Next
  • Sleipnir
  • Firefox
  • SeaMonkey
  • Flock
  • K-Meleon
  • BlackHawk
  • Cyberfox
  • Pale Moon
  • Lunascape

Mail clients:

  • Thunderbird
  • PostBox
  • FossaMail
  • Foxmail
  • IncrediMail
  • Outlook 

FTP/SCP/SSH Clients:

  • 32-Bit-FTP
  • ALFTP
  • BitKinex
  • BlazeFtp
  • ClassicFTP
  • Cyberduck
  • EasyFTP
  • ExpanDrive
  • Far
  • FileZilla
  • FlashFXP
  • Fling
  • FreshFTP
  • FTPBox
  • FTPGetter
  • FTPInfo
  • FTP Navigator
  • FTP Now
  • FTPShell
  • DeluxeFTP
  • GoFTP
  • AbleFTP
  • JaSFtp
  • LinasFTP
  • MyFTP
  • NetDrive
  • NETFile
  • NexusFile
  • NovaFTP
  • Notepad++
  • Odin Secure FTP Expert
  • KiTTY
  • PuTTY
  • SecureFX
  • SftpNetDrive
  • sherrod FTP
  • SmartFTP
  • Staff-FTP
  • Syncovery
  • Total Commander
  • UltraFXP
  • WinFtp Client
  • WS_FTP
  • Xftp

This was about all I was able to get out of the sample during my "hour", obviously LOKI does a lot more.

/Mikael


No comments:

Post a Comment