Loading...
You are here:  Home  >  Lokibot – Gutter Thief In the Night

Lokibot – Gutter Thief In the Night

Lokibot – Gutter Thief in the night

or

If you are a man and a gorgeous woman whom you never met propositions you, only a fool would think something is not amiss hence why would you click on that picture of a model so you can ogle in private especially since you don’t know where it came from

 

As you may already know from my rantings, here at Cybercrypto we have respect for good malware, and if you have not read my rantings then let me reiterate, any person that has a basic understanding of scripting can put together insidious ransomware that collapses your system therefore showing the world “LOOK AT ME!! I GOT YOU TO CLICK ON SOMETHING THAT HAS CAUSED YOU TO CEASE OPERATION AND I WILL CHARGE YOU MONEY” It takes strategy and a certain level of finesse to write something that sits on a computer sending all its data out unbeknownst to the user. Subterfuge is an art. It is in that spirit that we are looking at Lokibot. This type of malware is an information stealer that will take credentials as well as other sensitive data from the infected host to a command and control server. Most of the time the infection vector occurs through spam. For the most part (and there are several exceptions), when the infection vector is email (which is usually characterized by phishing), the item must be clicked on and activated, so keep that in mind, the user must run the malware so it can be activated. Once the malware is activated it unpacks itself, this is no different than when a user installs software on a computer.

 

The malware in this case has a file name of nudemodel.jpg.exe. Below are the hash id’s for the file:

 

Size

1.2MB

Type

PE32 executable (GUI) Intel 80386, for MS Windows

MD5

2df7a83872148d20484b66975d30fee6

SHA1

de22b923a8a6904daa1792b7936b2a1336637e6f

SHA256

781b531a40218128d466d79a1c1b94a233c35af926264141b47efa7e5b8e7b57

SHA512

2074d68c9f73e2d62339200e4e6a14d84c6cdc81d01310be8f993c1a43bed76556741b299b95db897f1b7609e1b1974cd2a0d64f17500db01c001bd39685e9c2

CRC32               

2670043B

ssdeep

24576:ErRoraaLCu/LNPuvrz9aEEDgaKIjwnGYCjRiPr8lv9:ErR6XhuvrRaE1nITki

 

Part One:

 

Before looking at the first appearance, a static overview of the file helps, keep in mind we know this is Lokibot. In a real attack you don’t know that, the user only gets to figure that out post homicide and at that point, it is called forensics. Therefore, we look at the file to learn a little more about it before going into the first appearance and analyzing what it does.

Section One –

 

Through static analysis we can pull the following version info from the malware –

 

Legal Copyright

Copyright Byte Technologies LLC.

File Version

1.2

Company Name

Byte Technologies LLC.

Product Name

ByteFence

Product Version

1.2

File Description

ByteFence Real-time Protection Service

Translation

0x0409 0x04b0

ByteFence is a bad Malwarebytes bastardized clone with genetic defects. We have seen that pushed on systems via bundled installers. It is unclear to us as to why this version info is on the malware. A cursory search with ByteFence and lokibot did not return anything of value.

Section Two:

 

There is something different though that stands out about this sample.

 

Lokibot find an image

At offset 0x000c9498 we see jpeg image data. There is an image packed in there. Here is what it looks like:

jkcgjj.jpg

Steganography is the art of hiding data within an image or similar to avoid detection. If the offsets are referencing an image file, then you can be sure that the malware is going to reference it at some point in the process. This is very interesting as the image opens up with no error, and such image is packed with instructions.

 

Part Two:

A Journey into The Absurd

 

Section One:

 

The file in question is nudemodel.jpg.exe. Once the file is clicked, the executable is dropped. We see the file below dropped in the C:\Users\username\AppData\Roaming directory. The name of the executable file is called jkcgjj.exe. Here at this point though nothing damaging has happened we should have an alert. Why? An executable has dropped a file to the user directory in AppData\Roaming\ - these are directories that should be monitored for activity as they serve as an indicator of the user’s activity. 

 

  1. Sandbox            -

filename: C:\Users\admin\AppData\Roaming\jkcgjj.exe

access: READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES

device: DISK_FILE_SYSTEM

name: C:\Users\admin\AppData\Roaming\jkcgjj.jpg

object: FILE

operation: CREATE

More on this later.

Note: For the analysis at the workstation level as in previous articles we draw directly from the logs to obtain a granular understanding of what is going on. Our logs are written to our alert system, so we capture everything, and we are able to see this as it is happening.

 

    2. Windows workstation:

 

There are some interesting things to note here, if you are capturing information properly then you will be alerted to this odd activity.

 

Figure 1:

 

Event ID: 4688

A new process has been created

Creator Subject:

            Security ID:                  S-1-5-21-372134654-1229274158-1178834050-500

            Account Name:             Administrator

            Account Domain:                      PROJECTFARSCAPE

            Logon ID:                     0xBEFE0D

 

Target Subject:

            Security ID:                  S-1-0-0

            Account Name:             -

            Account Domain:                      -

            Logon ID:                     0x0

 

Process Information:

            New Process ID:                       0x255c

            New Process Name:      C:\Windows\System32\pcwrun.exe

            Token Elevation Type:   %%1936

            Mandatory Label:                      S-1-16-12288

            Creator Process ID:       0x228c

            Creator Process Name:  C:\Windows\explorer.exe

            Process Command Line: C:\WINDOWS\system32\pcwrun.exe "C:\temp\nudemodel.jpg.exe" ContextMenu

Figure 2:

 

Process Create:

RuleName:

UtcTime: 2019-08-07 22:42:33.835

ProcessGuid: {F9A5ADB1-53D9-5D4B-0000-001072AF3DDE}

ProcessId: 9732

Image: C:\Windows\System32\msdt.exe

FileVersion: 10.0.17134.1 (WinBuild.160101.0800)

Description: Diagnostics Troubleshooting Wizard

Product: Microsoft® Windows® Operating System

Company: Microsoft Corporation

CommandLine: C:\WINDOWS\System32\msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\Users\ADMINI~1\AppData\Local\Temp\PCW4DDF.xml /skip TRUE

CurrentDirectory: C:\WINDOWS\system32\

User: PROJECTFARSCAPE\Administrator

LogonGuid: {F9A5ADB1-9A71-5D33-0000-00200DFEBE00}

LogonId: 0xBEFE0D

TerminalSessionId: 1

IntegrityLevel: High

Hashes: SHA1=9835087FFD1A7760D7630FCF8661D38A54CBF75A

ParentProcessGuid: {F9A5ADB1-53D9-5D4B-0000-0010ECAA3DDE}

ParentProcessId: 9564

ParentImage: C:\Windows\System32\pcwrun.exe

ParentCommandLine: C:\WINDOWS\system32\pcwrun.exe "C:\temp\nudemodel.jpg.exe" ContextMenu

 

In Figure 1 we see a new process being created, The parent command line is spawned from the windows\system32 directory – pcwrun.exe. This executable is the Program Compatibility Troubleshooter Invoker. We also see msdt.exe which is the Diagnostic Troubleshooting Wizard launch. We capture sysmon logs which allow us to get a more concise yet streamlined view of what is happening, in this case we see the flags skip TRUE in the command line for msdt.exe which allows you to skip the first screen and jump straight to the diagnostics. This in itself is sneaky –

 

Our parent commandline :

 

C:\WINDOWS\system32\pcwrun.exe "C:\temp\nudemodel.jpg.exe" ContextMenu

 

Now spawns the following command line –

 

CommandLine: C:\WINDOWS\System32\msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\Users\ADMINI~1\AppData\Local\Temp\PCW4DDF.xml /skip TRUE

 

This allows for a UAC bypass, though -elevated is not in the command line so it is somewhat debatable. What is not debatable is the next event we see –

Figure 3:

 

Process Create:

RuleName:

UtcTime: 2019-08-07 22:42:33.795

ProcessGuid: {F9A5ADB1-53D9-5D4B-0000-0010ECAA3DDE}

ProcessId: 9564

Image: C:\Windows\System32\pcwrun.exe

FileVersion: 10.0.17134.1 (WinBuild.160101.0800)

Description: Program Compatibility Troubleshooter Invoker

Product: Microsoft® Windows® Operating System

Company: Microsoft Corporation

CommandLine: C:\WINDOWS\system32\pcwrun.exe "C:\temp\nudemodel.jpg.exe" ContextMenu

CurrentDirectory: C:\WINDOWS\system32\

User: PROJECTFARSCAPE\Administrator

LogonGuid: {F9A5ADB1-9A71-5D33-0000-00200DFEBE00}

LogonId: 0xBEFE0D

TerminalSessionId: 1

IntegrityLevel: High

Hashes: SHA1=4594AC562924330DEEE8D70C587C4F339DD6A8E2

ParentProcessGuid: {F9A5ADB1-60EC-5D47-0000-0010CC3CCDBA}

ParentProcessId: 8844

ParentImage: C:\Windows\explorer.exe

ParentCommandLine: C:\WINDOWS\explorer.exe /NOUACCHECK

 

Note the ParentCommandLine – NOUACCHECK from explorer.exe. This is our UAC bypass. Figure 1 to 3 are alerts provided to us by our system. There is no reason why this should be happening in your infrastructure, once you see them come up on your dashboard best to run or remote into that machine immediately. It is obvious that something is happening

 

We follow up now with another occurrence –

Figure 4:

 

Event ID: 4656

 

A handle to an object was requested.

 

Subject:

                Security ID:                             S-1-5-21-372134654-1229274158-1178834050-500

                Account Name:                       Administrator

                Account Domain:                    PROJECTFARSCAPE

                Logon ID:                               0xBEFE0D

 

Object:

                Object Server:                         Security

                Object Type:                           File

                Object Name:                         C:\temp\nudemodel.jpg.exe

                Handle ID:                              0xa30

                Resource Attributes:              -

 

Process Information:

                Process ID:                              0x249c

                Process Name:                        C:\Windows\System32\sdiagnhost.exe

 

Access Request Information:

                Transaction ID:                       {00000000-0000-0000-0000-000000000000}

                Accesses:                 READ_CONTROL

                                                                SYNCHRONIZE

                                                                ReadData (or ListDirectory)

                                                                ReadEA

                                                                ReadAttributes

                                                               

                Access Reasons:                      READ_CONTROL:              Granted by Ownership

                                                                SYNCHRONIZE:   Granted by              D:(A;;FA;;;S-1-5-21-372134654-1229274158-1178834050-500)

                                                                ReadData (or ListDirectory): Granted by              D:(A;;FA;;;S-1-5-21-372134654-1229274158-1178834050-500)

                                                                ReadEA:  Granted by              D:(A;;FA;;;S-1-5-21-372134654-1229274158-1178834050-500)

                                                                ReadAttributes:      Granted by              D:(A;;FA;;;S-1-5-21-372134654-1229274158-1178834050-500)

                                                               

                Access Mask:                           0x120089

                Privileges Used for Access Check:          -

            Restricted SID Count:            0

 

sdiagnhost.exe is the Scripted Diagnostics Native host. It is used primarily during program installation and keeping of track of when and where errors occur. The malware has requested a handle to this system process. That means something is about to launch.

Here is where things get odd –

 

Part Three

Section One – The Drop

 

In Part Two of Section One we saw bizarre activity in the AppData\Roaming directory and warned that this directory should be monitored. The malware dropped an image in the directory. This is the image at the offset 0x000c9498. It was dropped there by the malware.

 

    A) Sandbox
jkcgjj.jpg dropped from process
NtCreateFile
B) Windows workstation:

 

Figure 5:

 

Event ID: 4633

An attempt was made to access an object.

 

Subject:

                Security ID:                             S-1-5-21-372134654-1229274158-1178834050-500

                Account Name:                       Administrator

                Account Domain:                    PROJECTFARSCAPE

                Logon ID:                               0xBEFE0D

 

Object:

                Object Server:                         Security

                Object Type:                           File

                Object Name:                         C:\Users\Administrator\AppData\Roaming\jkcgjj.jpg

                Handle ID:                              0x298

                Resource Attributes:             

 

Process Information:

                Process ID:                              0x2720

                Process Name:                        C:\temp\nudemodel.jpg.exe

 

Access Request Information:

                Accesses:                 WriteData (or AddFile)

                                                                AppendData (or AddSubdirectory or CreatePipeInstance)

                                                               

                Access Mask:                           0x6

 

 

The malware has dropped the image and now we have steganography at play.

Part Four – Sky is falling

 

The malware is dropping more files and working, specifically:

 

A) Sandbox

 

1)

Executable Content was dropped

2) The application launches itself

Application Launched itself

3) we see a Visual Basic file show and the registry is modified

vbs file appears

B) Windows workstation -

1)

Figure 6

 

Event ID: 4656

A handle to an object was requested.

(Don’t see this everyday)

 

Subject:

                Security ID:                             S-1-5-21-372134654-1229274158-1178834050-500

                Account Name:                       Administrator

                Account Domain:                    PROJECTFARSCAPE

                Logon ID:                               0xBEFE0D

 

Object:

                Object Server:                         Security

                Object Type:                           File

                Object Name:                         C:\Users\Administrator\AppData\Roaming\jkcgjj.jpg

                Handle ID:                              0x26c

                Resource Attributes:              -

 

Process Information:

                Process ID:                              0x27a8

                Process Name:                        C:\Users\Administrator\AppData\Roaming\jkcgjj.exe

 

Access Request Information:

                Transaction ID:                       {00000000-0000-0000-0000-000000000000}

                Accesses:                 READ_CONTROL

                                                                SYNCHRONIZE

                                                                ReadData (or ListDirectory)

                                                                ReadEA

                                                                ReadAttributes

                                                               

                Access Reasons:                      READ_CONTROL:              Granted by Ownership

                                                                SYNCHRONIZE:   Granted by              D:(A;;FA;;;BA)

                                                                ReadData (or ListDirectory): Granted by              D:(A;;FA;;;BA)

                                                                ReadEA:  Granted by              D:(A;;FA;;;BA)

                                                                ReadAttributes:      Granted by              D:(A;;FA;;;BA)

                                                               

                Access Mask:                           0x120089

                Privileges Used for Access Check:          -

                Restricted SID Count:            0

 

The executable that drops is making a request to the image. This is damning yet incredibly fascinating. I re-

emphasize – an executable file is making an object call to an image file. Sheer genius.

2)

Figure 7

 

Event ID: 4663

An attempt was made to access an object

 

Subject:  

Security ID:                             S-1-5-21-372134654-1229274158-1178834050-500  

Account Name:                       Administrator  

Account Domain:                   PROJECTFARSCAPE  

Logon ID:                               0xBEFE0D   

 

Object:                                   

Object Server:                        Security  

Object Type:                          File  

Object Name:                         C:\Users\Administrator\AppData\Local\jkcgjj\jkcgjj.vbs  

Handle ID:                              0x234  

Resource Attributes:             

 

Process Information:  

Process ID:                             0x938  

Process Name:                        C:\Users\Administrator\AppData\Roaming\jkcgjj.exe   

 

Access Request Information:  

Accesses:                                 WriteData (or AddFile)      AppendData (or AddSubdirectory or CreatePipeInstance)        

Access Mask:                                  0x6          127388478

 

 

That same executable that was dropped earlier is attempting to access a visual basic file. Though we have not done a reverse analysis on the malware, it would be a safe bet that the vbs file is used for execution.

3)

 

Figure 8

Event ID: 4656

 

A handle to an object was requested.

 

Subject:

                Security ID:                             S-1-5-21-372134654-1229274158-1178834050-500

                Account Name:                       Administrator

                Account Domain:                    PROJECTFARSCAPE

                Logon ID:                               0xBEFE0D

 

Object:

                Object Server:                         Security

                Object Type:                           File

                Object Name:                         C:\Users\Administrator\AppData\Roaming\90E60C\C8391F.exe

                Handle ID:                              0x2d0

                Resource Attributes:              -

 

Process Information:

                Process ID:                              0x938

                Process Name:                        C:\Users\Administrator\AppData\Roaming\jkcgjj.exe

 

Access Request Information:

                Transaction ID:                       {00000000-0000-0000-0000-000000000000}

                Accesses:                 SYNCHRONIZE

                                                                WriteAttributes

                                                               

                Access Reasons:                      SYNCHRONIZE:   Granted by              D:(A;;FA;;;BA)

                                                                WriteAttributes:     Granted by              D:(A;;FA;;;BA)

                                                               

                Access Mask:                           0x100100

                Privileges Used for Access Check:          -

                Restricted SID Count:            0

Finally, we see the executable access another file that shown up, C8391F.exe – here we a handle to an object being requested. In our sandbox we see it by another name.

Detected artifacts of lokibot

In the sample we examined, the naming convention of the file that is generated after the vbs does its work is dynamic – you will never get the same filename, this is usually by design. I should note that we do watch for registry changes and the below came up:

 

WRITE

+78835ms

Key:    HKEY_CURRENT_USER\http://myxojine.xyz/slk/cat.php

Name: F3F363

Value: %APPDATA%\F3F363\3C28B3.exe

 

To see this as a registry entry after the vbs goes to work is odd, suffice to say the server was offline but judging by this the malware was going to make further registry changes based on some instruction from the server.

Conclusion:

 

There are two constants that resonate through all our analysis:

 

  1. There is a vector of infection, that could be the browser, email, a USB connection, or a network connection. The vector will lay the genesis of how our patient zero is spawned and proceeds to infect the system. There is always a vector of infection, there is no escaping this. The first event will always be the activation of the malware – the very beginning. This could be opening a file, clicking on a document, or going to a compromised website. There is an action that must be committed otherwise the infection cannot spawn.
  2. Malware is just not a script kiddie putting together some code for ransomware, keylogger, etc, to steal your data. People write bots that connect to command and control servers and write malware that is highly functional. However, we are noticing in certain forums that individuals are taking malware like lokibot and making changes and setting them loose in the wild.

 

It is essential to monitor certain directories and look for indicators that present as something being outside of the norm. Human eyes are needed, an understanding that can only come from a person. Hence when your operator receives an alert that there are executables being open in the

C:\Users\Administrator\AppData\Roaming, then it is imperative for them to go check, better to be a false alarm then missing the match that lit the fuse. While it is important to understand what the malware does, it is even more important to look for indicators of your system being compromised.