Article by Vishal Thakur
This is SMA (Supersonic Malware Analysis) of LokiBot. We will skip over the finer details of the execution and have a quick look at functions from an Incident Response angle.
The execution results are below and all the extracted info is self-explanatory. If you need additional details, please submit a question using the form at the end.
Firefox
Profile and Configuration
CPU Stack
Address Value Comments
0012F2D0 |002893D0 ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini"
0012F2D4 |00289CC0 ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"
Versions and build
CPU Stack
Address Value Comments
0012F328 |00289D80 ; ASCII "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"
0012F32C |0012FBA0
0012F330 \00408FF9 ; /RETURN from loki.0040A1B6 to loki.00408FF9
0012F334 /00289CC0 ; |Arg1 = UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"
0012F338 |00000000 ; |Arg2 = 0
0012F33C |00000000 ; |Arg3 = 0
0012F340 |00000000 ; \Arg4 = 0
0012F344 |0027C908 ; UNICODE "C:\Program Files\Mozilla Firefox"
0012F348 |0027C4E0 ; UNICODE "63.0 (x86 en-US)"
0012F34C |00279EC0 ; UNICODE "SOFTWARE\Mozilla\Mozilla Firefox\63.0 (x86 en-US)\Main"
NSS Modules
CPU Stack
Address Value Comments
0012F208 [6167CB99 ; /RETURN from nss3.PR_NewLogModule to nss3.PR_Init+39
0012F20C /61797A87 ; \Arg1 = ASCII "clock"
0012F210 |0012F224
0012F214 \6167D420 ; RETURN from nss3.6167CB70 to nss3.PR_CallOnce+30
0012F218 /00000000
0012F21C |00289D80 ; ASCII "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"
0012F220 |617A9EBA
0012F224 |0012F274
0012F228 \616AEF71 ; /RETURN from nss3.PR_CallOnce to nss3.616AEF71
0012F22C /617B9164 ; |Arg1 = nss3.617B9164
0012F230 |616B0570 ; \Arg2 = nss3.616B0570
CPU Stack
Address Value Comments
0012F068 [61675F94 ; /RETURN from WS2_32.WSAStartup to nss3.61675F94
0012F06C /00000101 ; |Version = 101
0012F070 |0012F074 ; \pWsadata = 0012F074 -> WSADATA {version_lo=20076., version_hi=30667., description=???, status=???, maxsockets=0, maxudpdg=0, vendorinfo=???}
0012F074 |77CB4E6C ; RETURN to ntdll.NtAllocateVirtualMemory+0C
0012F078 |75AF7993 ; RETURN from ntdll.NtAllocateVirtualMemory to KERNELBASE.VirtualAllocEx+33
0012F07C |6AF8C861 ; RETURN from mozglue.6AFA374E to mozglue.6AF8C861
0012F080 |0012F0A8
0012F084 |6AF8CEE3 ; RETURN from mozglue.6AFA374E to mozglue.6AF8CEE3
0012F088 |0012F094
0012F08C |77CB4E6C ; RETURN to ntdll.NtAllocateVirtualMemory+0C
0012F090 |75AF7993 ; RETURN from ntdll.NtAllocateVirtualMemory to KERNELBASE.VirtualAllocEx+33
0012F094 |6AF8C861 ; RETURN from mozglue.6AFA374E to mozglue.6AF8C861
0012F098 |0012F0C0
0012F09C |6AF8CEE3 ; RETURN from mozglue.6AFA374E to mozglue.6AF8CEE3
CPU Stack
Address Value Comments
0012F1C4 [6168537A ; /RETURN from mozglue.calloc to nss3.PR_NewLock+1A
0012F1C8 /00000001 ; |Arg1 = 1
0012F1CC |00000084 ; \Arg2 = 84
0012F1D0 |0181C0C0 ; ASCII "name="NSS Internal Module" parameters="configdir='C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\25pibsee.default' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly,optimizeSpace update"...
PKCSS
CPU Stack
Address Value Comments
0012E7B8 [61978CC6 ; /RETURN from kernel32.CreateFileW to ucrtbase.61978CC6
0012E7BC /01815040 ; |FileName = "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default/pkcs11.txt"
0012E7C0 |80000000 ; |DesiredAccess = GENERIC_READ
0012E7C4 |00000003 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012E7C8 |0012E7FC ; |pSecurity = 0012E7FC -> SECURITY_ATTRIBUTES {Length=12., pSecurityDescriptor=NULL, InheritHandle=TRUE}
0012E7CC |00000003 ; |CreationDistribution = OPEN_EXISTING
0012E7D0 |00000080 ; |Attributes = FILE_ATTRIBUTE_NORMAL
0012E7D4 |00000000 ; \hTemplate = NULL
CPU Stack
Address Value Comments
0012E91C [6170F34A ; /RETURN from mozglue.realloc to nss3.6170F34A
0012E920 /0180C130 ; |Arg1 = ASCII "library= name="NSS Internal PKCS #11 Module" "
0012E924 |00000032 ; \Arg2 = 32
0012E928 |00000000
0012E92C |00000031
0012E930 |0000000A
0012E934 |0180C0D0
0012E938 |0000002D
0012E93C |00000001
0012E940 |00000000
0012E944 |00000000
0012E948 |0012E974 ; ASCII "trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] } Flags=internal,critical"
CPU Stack
Address Value Comments
0012E91C [6170F73F ; /RETURN from mozglue.realloc to nss3.6170F73F
0012E920 01818100 ; |Arg1 = ASCII "library= name="NSS Internal PKCS #11 Module" NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] } Flags=internal,cri"..
0012E924 00000100 ; \Arg2 = 100
CPU Stack
Address Value Comments
0012EB68 /75AF7AFA ; RETURN from ntdll.memcpy to KERNELBASE.75AF7AFA
0012EB6C |0012EBC4 ; ASCII "ate Services' FIPSTokenDescription='Software Security Device (FIPS)' minPS=0"
0012EB70 |00289F40 ; UNICODE "C:\Program Files\Mozilla Firefox\softokn3.dll"
Mozilla DLLs
CPU Stack
Address Value Comments
0012E6A4 [77CC8376 ; RETURN from ntdll.memcpy to ntdll.77CC8376
0012E6A8 /00289508
0012E6AC |0012E704 ; UNICODE "C:\Program Files\Mozilla Firefox\freebl3.dll"
0012E6B0 |00000058
0012E6B4 |00289500
0012E6B8 |77CC8458 ; UNICODE "\??\"
0012E6BC |00000008
0012E6C0 |00000000
0012E6C4 |0012EA4C
0012E6C8 |00000000
0012E6CC |0012E744 ; UNICODE "\freebl3.dll"
0012E6D0 |0012E70C ; UNICODE "rogram Files\Mozilla Firefox\freebl3.dll"
CPU Stack
Address Value Comments
0012EAD4 /774110DC ; RETURN from ntdll.memcpy to kernel32.774110DC
0012EAD8 |0012EC14
0012EADC |0012EB60
0012EAE0 |00000004
0012EAE4 |0012EC38
0012EAE8 |77410CE4 ; UNICODE "\Registry\Machine\System\Setup"
0012EAEC |00000004
0012EAF0 |003E003C
0012EAF4 |77410CE4 ; UNICODE "\Registry\Machine\System\Setup"
0012EAF8 |00000018
0012EAFC |00000000
0012EB00 |0012EAF0
0012EB04 |00000040
0012EB08 |00000000
0012EB0C |00000000
0012EB10 |001E001C
0012EB14 |77410F88 ; UNICODE "OOBEInProgress"
0012EB18 |77410F88 ; UNICODE "OOBEInProgress"
0012EB1C |0012EC14
Computer Info
CPU Stack
Address Value Comments
0012EBBC /77410F30 ; RETURN from ntdll.memcpy to kernel32.GetComputerNameW+321
0012EBC0 |00289668
0012EBC4 |0012EC3C ; UNICODE "-PC"
0012EBC8 |00000010
0012EBCC |0012ED40
0012EBD0 |0012EC3C ; UNICODE "-PC"
0012EBD4 |0012ECB4
0012EBD8 |00000018
0012EBDC |00000000
0012EBE0 |0012EC00
0012EBE4 |00000040
0012EBE8 |00000000
0012EBEC |00000000
0012EBF0 |0012EC94
0012EBF4 |685F7503
0012EBF8 |033EF000
0012EBFC |033EF000
0012EC00 |0080007E
0012EC04 |77410DF0 ; UNICODE "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"
Certs
CPU Stack
Address Value Comments
0012E790 [77CC8376 ; RETURN from ntdll.memcpy to ntdll.77CC8376
0012E794 /00285490
0012E798 |0012E7F0 ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\cert9.db"
0012E79C |000000B2
0012E7A0 |00285488
0012E7A4 |77CC8458 ; UNICODE "\??\"
0012E7A8 |00000008
0012E7AC |0000005A
0012E7B0 |01857040 ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\cert9.db"
0012E7B4 |01857040 ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\cert9.db"
0012E7B8 |77D36516 ; RETURN from ntdll.77CC27E9 to ntdll.77D36516
0012E7BC |77CFA103 ; RETURN from ntdll.77D3620E to ntdll.77CFA103
Login cred-stealing functions
CPU Stack
Address Value Comments
0012EF88 [77CC8376 ; RETURN from ntdll.memcpy to ntdll.77CC8376
0012EF8C /00285688
0012EF90 |0012EFE8 ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\logins.json"
CPU Stack
Address Value Comments
0012EF90 [77CC834E ; RETURN from ntdll.memcpy to ntdll.77CC834E
0012EF94 /00285680
0012EF98 |77CC8458 ; UNICODE "\??\"
0012EF9C |00000008
0012EFA0 |00000000
0012EFA4 |00000003
0012EFA8 |002855A8 ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\signons.txt"
CPU Stack
Address Value Comments
0012FAE8 [77CCC931 ; RETURN from ntdll.memcpy to ntdll.RtlSetEnvironmentVar+17D
0012FAEC 0027D54A
0012FAF0 0049B980
0012FAF4 000005B0
0012FAF8 77C8602D
0012FAFC 0027C908 ; UNICODE "C:\Program Files\Mozilla Firefox"
0012FB00 000002D8
0012FB04 00279EC0 ; UNICODE "SOFTWARE\Mozilla\Mozilla Firefox\63.0 (x86 en-US)\Main"
CPU Stack
Address Value Comments
0012FAE8 [77C92461 ; /RETURN from ntdll.memmove to ntdll.77C92461
0012FAEC /0027DAFC ; |Arg1 = UNICODE "C:\Program Files\Mozilla Firefox"
0012FAF0 |0027DB3E ; |Arg2 = UNICODE "PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW"
0012FAF4 |000005F4 ; \Arg3 = 5F4
Chrome
CPU Stack
Address Value Comments
0012F70C /004040EA ; RETURN to loki.004040EA
0012F710 |0028DEE0 ; UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F714 |80000000
0012F718 |00000001
0012F71C |00000000
0012F720 |00000003
0012F724 |00000080
0012F728 |00000000
0012F72C |0012F808 ; UNICODE "Google\Chrome"
0012F730 |0028DEE0 ; UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F734 |00000000
0012F738 |00000000
0012F73C |0027CB60
0012F740 |00289DC8
0012F744 |0012F778
0012F748 \00407EF3 ; /RETURN from loki.004040BB to loki.00407EF3
0012F74C /0028DEE0 ; |Arg1 = UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F750 |0012F774 ; |Arg2 = 12F774
0012F754 |00000001 ; \Arg3 = 1
0012F758 |0028DEE0 ; UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F75C |00289AA8 ; UNICODE "C:\Users\Administrator\AppData\Local"
0012F760 |004056E8 ; RETURN from loki.00402B7C to loki.004056E8
Internet Explorer
CPU Stack
Address Value Comments
0012F900 [76F9226B ; /RETURN from kernel32.CreateFileW to WININET.76F9226B
0012F904 /002804E0 ; |FileName = "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
0012F908 |C0000000 ; |DesiredAccess = GENERIC_READ|GENERIC_WRITE
0012F90C |00000003 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012F910 |0012F938 ; |pSecurity = 0012F938 -> SECURITY_ATTRIBUTES {Length=0, pSecurityDescriptor=00280F50, InheritHandle=FALSE}
0012F914 |00000004 ; |CreationDistribution = OPEN_ALWAYS
0012F918 |00000000 ; |Attributes = 0
0012F91C |00000000 ; \hTemplate = NULL
0012F920 |0027FFF0
RSA key
CPU Stack
Address Value Comments
0012EEDC [7520148F ; /RETURN from kernel32.CreateFileW to rsaenh.7520148F
0012EEE0 /00295030 ; |FileName = "C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1170123196-3759381713-3318582401-500\a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"
0012EEE4 |40000000 ; |DesiredAccess = GENERIC_WRITE
0012EEE8 |00000000 ; |ShareMode = 0
0012EEEC |00000000 ; |pSecurity = NULL
0012EEF0 |00000003 ; |CreationDistribution = OPEN_EXISTING
0012EEF4 |00000004 ; |Attributes = FILE_ATTRIBUTE_SYSTEM
0012EEF8 |00000000 ; \hTemplate = NULL
0012EEFC |0000008C
0012EF00 |00295104 ; UNICODE "a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"
Network/C2
CPU Stack
Address Value Comments
0012F920 [00404E55 ; /RETURN from WS2_32.getaddrinfo to loki.00404E55
0012F924 /00293DB6 ; |Arg1 = ASCII "atharabnday. com"
0012F928 |00293CA8 ; |Arg2 = ASCII "80"
0012F92C |0012F938 ; |Arg3 = 12F938
0012F930 |0012F958 ; \Arg4 = 12F958
UserAgent and URI
CPU Stack
Address Value Comments
0012F98C \004142CB ; /RETURN from loki.0041406C to loki.004142CB
0012F990 /00293DB6 ; |Arg1 = ASCII "atharabnday.com"
0012F994 |00293CA8 ; |Arg2 = ASCII "80"
0012F998 |00293CB2 ; |Arg3 = ASCII "/web_content/file/log/css/Panel/five/fre.php"
0012F99C |002915E8 ; |Arg4 = ASCII "Mozilla/4.08 (Charon; Inferno)"
0012F9A0 |00291838 ; |Arg5 = 291838
0012F9A4 |000000C4 ; \Arg6 = 0C4
CPU Stack
Address Value Comments
0012F920 [00404E55 ; /RETURN from WS2_32.getaddrinfo to loki.00404E55
0012F924 /00296CBE ; |Arg1 = 296CBE
0012F928 |00296BB0 ; |Arg2 = ASCII "80"
0012F92C |0012F938 ; |Arg3 = 12F938
0012F930 |0012F958 ; \Arg4 = 12F958
CPU Stack
Address Value Comments
0012EEDC [7520148F ; /RETURN from kernel32.CreateFileW to rsaenh.7520148F
0012EEE0 /00296288 ; |FileName = "C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1170123196-3759381713-3318582401-500\a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"
0012EEE4 |40000000 ; |DesiredAccess = GENERIC_WRITE
0012EEE8 |00000000 ; |ShareMode = 0
0012EEEC |00000000 ; |pSecurity = NULL
0012EEF0 |00000003 ; |CreationDistribution = OPEN_EXISTING
0012EEF4 |00000004 ; |Attributes = FILE_ATTRIBUTE_SYSTEM
0012EEF8 |00000000 ; \hTemplate = NULL
0012EEFC |0000008C
0012EF00 |0029635C ; UNICODE "a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"
CPU Stack
Address Value Comments
0012F920 [00404E55 ; /RETURN from WS2_32.getaddrinfo to loki.00404E55a
0012F924 /00296396 ; |Arg1 = ASCII "atharabnday. com"
0012F928 |00296288 ; |Arg2 = ASCII "80"
0012F92C |0012F938 ; |Arg3 = 12F938
0012F930 |0012F958 ; \Arg4 = 12F958
CPU Stack
Address Value Comments
0012FBA8 \0040F9CA ; /RETURN from loki.0040429B to loki.0040F9CA
0012FBAC /002955E8 ; |Arg1 = UNICODE "C:\Users\Administrator\AppData\Roaming\4FD233\39589B.lck"
0012FBB0 |0012FBC4 ; |Arg2 = 12FBC4
0012FBB4 |00000001 ; |Arg3 = 1
0012FBB8 |00000001 ; \Arg4 = 1
CPU Stack
Address Value Comments
0012FBEC \77CF9E37 ; /RETURN from ntdll.77D369DD to ntdll.77CF9E37
0012FBF0 /00270000 ; |Arg1 = 270000
0012FBF4 |50000063 ; |Arg2 = 50000063
0012FBF8 |00297688 ; \Arg3 = ASCII "http://atharabnday. com/web_content/file/log/css/Panel/five/fre.php"
ET Sig: https://doc.emergingthreats.net/bin/view/Main/2021605
SHA-256 |
---|
Comments
Post a Comment