Skip to main content

SMA: LokiBot - Interesting Functions and their execution



Article by Vishal Thakur
This is SMA (Supersonic Malware Analysis) of LokiBot. We will skip over the finer details of the execution and have a quick look at functions from an Incident Response angle.

The execution results are below and all the extracted info is self-explanatory. If you need additional details, please submit a question using the form at the end.


Firefox

Profile and Configuration

CPU Stack
Address   Value      Comments
0012F2D0  |002893D0  ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini"
0012F2D4  |00289CC0  ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"

Versions and build

CPU Stack
Address   Value      Comments
0012F328  |00289D80  ; ASCII "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"
0012F32C  |0012FBA0
0012F330  \00408FF9  ; /RETURN from loki.0040A1B6 to loki.00408FF9
0012F334  /00289CC0  ; |Arg1 = UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"
0012F338  |00000000  ; |Arg2 = 0
0012F33C  |00000000  ; |Arg3 = 0
0012F340  |00000000  ; \Arg4 = 0
0012F344  |0027C908  ; UNICODE "C:\Program Files\Mozilla Firefox"
0012F348  |0027C4E0  ; UNICODE "63.0 (x86 en-US)"
0012F34C  |00279EC0  ; UNICODE "SOFTWARE\Mozilla\Mozilla Firefox\63.0 (x86 en-US)\Main"

NSS Modules

CPU Stack
Address   Value      Comments
0012F208  [6167CB99  ; /RETURN from nss3.PR_NewLogModule to nss3.PR_Init+39
0012F20C  /61797A87  ; \Arg1 = ASCII "clock"
0012F210  |0012F224
0012F214  \6167D420  ; RETURN from nss3.6167CB70 to nss3.PR_CallOnce+30
0012F218  /00000000
0012F21C  |00289D80  ; ASCII "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default"
0012F220  |617A9EBA
0012F224  |0012F274
0012F228  \616AEF71  ; /RETURN from nss3.PR_CallOnce to nss3.616AEF71
0012F22C  /617B9164  ; |Arg1 = nss3.617B9164
0012F230  |616B0570  ; \Arg2 = nss3.616B0570

CPU Stack
Address   Value      Comments
0012F068  [61675F94  ; /RETURN from WS2_32.WSAStartup to nss3.61675F94
0012F06C  /00000101  ; |Version = 101
0012F070  |0012F074  ; \pWsadata = 0012F074 -> WSADATA {version_lo=20076., version_hi=30667., description=???, status=???, maxsockets=0, maxudpdg=0, vendorinfo=???}
0012F074  |77CB4E6C  ; RETURN to ntdll.NtAllocateVirtualMemory+0C
0012F078  |75AF7993  ; RETURN from ntdll.NtAllocateVirtualMemory to KERNELBASE.VirtualAllocEx+33
0012F07C  |6AF8C861  ; RETURN from mozglue.6AFA374E to mozglue.6AF8C861
0012F080  |0012F0A8
0012F084  |6AF8CEE3  ; RETURN from mozglue.6AFA374E to mozglue.6AF8CEE3
0012F088  |0012F094
0012F08C  |77CB4E6C  ; RETURN to ntdll.NtAllocateVirtualMemory+0C
0012F090  |75AF7993  ; RETURN from ntdll.NtAllocateVirtualMemory to KERNELBASE.VirtualAllocEx+33
0012F094  |6AF8C861  ; RETURN from mozglue.6AFA374E to mozglue.6AF8C861
0012F098  |0012F0C0
0012F09C  |6AF8CEE3  ; RETURN from mozglue.6AFA374E to mozglue.6AF8CEE3


CPU Stack
Address   Value      Comments
0012F1C4  [6168537A  ; /RETURN from mozglue.calloc to nss3.PR_NewLock+1A
0012F1C8  /00000001  ; |Arg1 = 1
0012F1CC  |00000084  ; \Arg2 = 84
0012F1D0  |0181C0C0  ; ASCII "name="NSS Internal Module" parameters="configdir='C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\25pibsee.default' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly,optimizeSpace update"...

PKCSS

CPU Stack
Address   Value      Comments
0012E7B8  [61978CC6  ; /RETURN from kernel32.CreateFileW to ucrtbase.61978CC6
0012E7BC  /01815040  ; |FileName = "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default/pkcs11.txt"
0012E7C0  |80000000  ; |DesiredAccess = GENERIC_READ
0012E7C4  |00000003  ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012E7C8  |0012E7FC  ; |pSecurity = 0012E7FC -> SECURITY_ATTRIBUTES {Length=12., pSecurityDescriptor=NULL, InheritHandle=TRUE}
0012E7CC  |00000003  ; |CreationDistribution = OPEN_EXISTING
0012E7D0  |00000080  ; |Attributes = FILE_ATTRIBUTE_NORMAL
0012E7D4  |00000000  ; \hTemplate = NULL


CPU Stack
Address   Value      Comments
0012E91C  [6170F34A  ; /RETURN from mozglue.realloc to nss3.6170F34A
0012E920  /0180C130  ; |Arg1 = ASCII "library= name="NSS Internal PKCS #11 Module" "
0012E924  |00000032  ; \Arg2 = 32
0012E928  |00000000
0012E92C  |00000031
0012E930  |0000000A
0012E934  |0180C0D0
0012E938  |0000002D
0012E93C  |00000001
0012E940  |00000000
0012E944  |00000000
0012E948  |0012E974  ; ASCII "trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"


CPU Stack
Address   Value      Comments
0012E91C  [6170F73F  ; /RETURN from mozglue.realloc to nss3.6170F73F
0012E920   01818100  ; |Arg1 = ASCII "library= name="NSS Internal PKCS #11 Module" NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] }  Flags=internal,cri"..
0012E924   00000100  ; \Arg2 = 100

CPU Stack
Address   Value      Comments
0012EB68  /75AF7AFA  ; RETURN from ntdll.memcpy to KERNELBASE.75AF7AFA
0012EB6C  |0012EBC4  ; ASCII "ate Services' FIPSTokenDescription='Software Security Device (FIPS)' minPS=0"
0012EB70  |00289F40  ; UNICODE "C:\Program Files\Mozilla Firefox\softokn3.dll"

Mozilla DLLs

CPU Stack
Address   Value      Comments
0012E6A4  [77CC8376  ; RETURN from ntdll.memcpy to ntdll.77CC8376
0012E6A8  /00289508
0012E6AC  |0012E704  ; UNICODE "C:\Program Files\Mozilla Firefox\freebl3.dll"
0012E6B0  |00000058
0012E6B4  |00289500
0012E6B8  |77CC8458  ; UNICODE "\??\"
0012E6BC  |00000008
0012E6C0  |00000000
0012E6C4  |0012EA4C
0012E6C8  |00000000
0012E6CC  |0012E744  ; UNICODE "\freebl3.dll"
0012E6D0  |0012E70C  ; UNICODE "rogram Files\Mozilla Firefox\freebl3.dll"


CPU Stack
Address   Value      Comments
0012EAD4  /774110DC  ; RETURN from ntdll.memcpy to kernel32.774110DC
0012EAD8  |0012EC14
0012EADC  |0012EB60
0012EAE0  |00000004
0012EAE4  |0012EC38
0012EAE8  |77410CE4  ; UNICODE "\Registry\Machine\System\Setup"
0012EAEC  |00000004
0012EAF0  |003E003C
0012EAF4  |77410CE4  ; UNICODE "\Registry\Machine\System\Setup"
0012EAF8  |00000018
0012EAFC  |00000000
0012EB00  |0012EAF0
0012EB04  |00000040
0012EB08  |00000000
0012EB0C  |00000000
0012EB10  |001E001C
0012EB14  |77410F88  ; UNICODE "OOBEInProgress"
0012EB18  |77410F88  ; UNICODE "OOBEInProgress"
0012EB1C  |0012EC14

Computer Info

CPU Stack
Address   Value      Comments
0012EBBC  /77410F30  ; RETURN from ntdll.memcpy to kernel32.GetComputerNameW+321
0012EBC0  |00289668
0012EBC4  |0012EC3C  ; UNICODE "-PC"
0012EBC8  |00000010
0012EBCC  |0012ED40
0012EBD0  |0012EC3C  ; UNICODE "-PC"
0012EBD4  |0012ECB4
0012EBD8  |00000018
0012EBDC  |00000000
0012EBE0  |0012EC00
0012EBE4  |00000040
0012EBE8  |00000000
0012EBEC  |00000000
0012EBF0  |0012EC94
0012EBF4  |685F7503
0012EBF8  |033EF000
0012EBFC  |033EF000
0012EC00  |0080007E
0012EC04  |77410DF0  ; UNICODE "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"

Certs

CPU Stack
Address   Value      Comments
0012E790  [77CC8376  ; RETURN from ntdll.memcpy to ntdll.77CC8376
0012E794  /00285490
0012E798  |0012E7F0  ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\cert9.db"
0012E79C  |000000B2
0012E7A0  |00285488
0012E7A4  |77CC8458  ; UNICODE "\??\"
0012E7A8  |00000008
0012E7AC  |0000005A
0012E7B0  |01857040  ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\cert9.db"
0012E7B4  |01857040  ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\cert9.db"
0012E7B8  |77D36516  ; RETURN from ntdll.77CC27E9 to ntdll.77D36516
0012E7BC  |77CFA103  ; RETURN from ntdll.77D3620E to ntdll.77CFA103

Login cred-stealing functions

CPU Stack
Address   Value      Comments
0012EF88  [77CC8376  ; RETURN from ntdll.memcpy to ntdll.77CC8376
0012EF8C  /00285688
0012EF90  |0012EFE8  ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\logins.json"

CPU Stack
Address   Value      Comments
0012EF90  [77CC834E  ; RETURN from ntdll.memcpy to ntdll.77CC834E
0012EF94  /00285680
0012EF98  |77CC8458  ; UNICODE "\??\"
0012EF9C  |00000008
0012EFA0  |00000000
0012EFA4  |00000003
0012EFA8  |002855A8  ; UNICODE "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\25pibsee.default\signons.txt"

CPU Stack
Address   Value      Comments
0012FAE8  [77CCC931  ; RETURN from ntdll.memcpy to ntdll.RtlSetEnvironmentVar+17D
0012FAEC   0027D54A
0012FAF0   0049B980
0012FAF4   000005B0
0012FAF8   77C8602D
0012FAFC   0027C908  ; UNICODE "C:\Program Files\Mozilla Firefox"
0012FB00   000002D8
0012FB04   00279EC0  ; UNICODE "SOFTWARE\Mozilla\Mozilla Firefox\63.0 (x86 en-US)\Main"

CPU Stack
Address   Value      Comments
0012FAE8  [77C92461  ; /RETURN from ntdll.memmove to ntdll.77C92461
0012FAEC  /0027DAFC  ; |Arg1 = UNICODE "C:\Program Files\Mozilla Firefox"
0012FAF0  |0027DB3E  ; |Arg2 = UNICODE "PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW"
0012FAF4  |000005F4  ; \Arg3 = 5F4

Chrome

CPU Stack
Address   Value      Comments
0012F70C  /004040EA  ; RETURN to loki.004040EA
0012F710  |0028DEE0  ; UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F714  |80000000
0012F718  |00000001
0012F71C  |00000000
0012F720  |00000003
0012F724  |00000080
0012F728  |00000000
0012F72C  |0012F808  ; UNICODE "Google\Chrome"
0012F730  |0028DEE0  ; UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F734  |00000000
0012F738  |00000000
0012F73C  |0027CB60
0012F740  |00289DC8
0012F744  |0012F778
0012F748  \00407EF3  ; /RETURN from loki.004040BB to loki.00407EF3
0012F74C  /0028DEE0  ; |Arg1 = UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F750  |0012F774  ; |Arg2 = 12F774
0012F754  |00000001  ; \Arg3 = 1
0012F758  |0028DEE0  ; UNICODE "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"
0012F75C  |00289AA8  ; UNICODE "C:\Users\Administrator\AppData\Local"
0012F760  |004056E8  ; RETURN from loki.00402B7C to loki.004056E8

Internet Explorer

CPU Stack
Address   Value      Comments
0012F900  [76F9226B  ; /RETURN from kernel32.CreateFileW to WININET.76F9226B
0012F904  /002804E0  ; |FileName = "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
0012F908  |C0000000  ; |DesiredAccess = GENERIC_READ|GENERIC_WRITE
0012F90C  |00000003  ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012F910  |0012F938  ; |pSecurity = 0012F938 -> SECURITY_ATTRIBUTES {Length=0, pSecurityDescriptor=00280F50, InheritHandle=FALSE}
0012F914  |00000004  ; |CreationDistribution = OPEN_ALWAYS
0012F918  |00000000  ; |Attributes = 0
0012F91C  |00000000  ; \hTemplate = NULL
0012F920  |0027FFF0

RSA key

CPU Stack
Address   Value      Comments
0012EEDC  [7520148F  ; /RETURN from kernel32.CreateFileW to rsaenh.7520148F
0012EEE0  /00295030  ; |FileName = "C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1170123196-3759381713-3318582401-500\a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"
0012EEE4  |40000000  ; |DesiredAccess = GENERIC_WRITE
0012EEE8  |00000000  ; |ShareMode = 0
0012EEEC  |00000000  ; |pSecurity = NULL
0012EEF0  |00000003  ; |CreationDistribution = OPEN_EXISTING
0012EEF4  |00000004  ; |Attributes = FILE_ATTRIBUTE_SYSTEM
0012EEF8  |00000000  ; \hTemplate = NULL
0012EEFC  |0000008C
0012EF00  |00295104  ; UNICODE "a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"

Network/C2 

CPU Stack
Address   Value      Comments
0012F920  [00404E55  ; /RETURN from WS2_32.getaddrinfo to loki.00404E55
0012F924  /00293DB6  ; |Arg1 = ASCII "atharabnday. com"
0012F928  |00293CA8  ; |Arg2 = ASCII "80"
0012F92C  |0012F938  ; |Arg3 = 12F938
0012F930  |0012F958  ; \Arg4 = 12F958

UserAgent and URI

CPU Stack
Address   Value      Comments
0012F98C  \004142CB  ; /RETURN from loki.0041406C to loki.004142CB
0012F990  /00293DB6  ; |Arg1 = ASCII "atharabnday.com"
0012F994  |00293CA8  ; |Arg2 = ASCII "80"
0012F998  |00293CB2  ; |Arg3 = ASCII "/web_content/file/log/css/Panel/five/fre.php"
0012F99C  |002915E8  ; |Arg4 = ASCII "Mozilla/4.08 (Charon; Inferno)"
0012F9A0  |00291838  ; |Arg5 = 291838
0012F9A4  |000000C4  ; \Arg6 = 0C4

CPU Stack
Address   Value      Comments
0012F920  [00404E55  ; /RETURN from WS2_32.getaddrinfo to loki.00404E55
0012F924  /00296CBE  ; |Arg1 = 296CBE
0012F928  |00296BB0  ; |Arg2 = ASCII "80"
0012F92C  |0012F938  ; |Arg3 = 12F938
0012F930  |0012F958  ; \Arg4 = 12F958

CPU Stack
Address   Value      Comments
0012EEDC  [7520148F  ; /RETURN from kernel32.CreateFileW to rsaenh.7520148F
0012EEE0  /00296288  ; |FileName = "C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1170123196-3759381713-3318582401-500\a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"
0012EEE4  |40000000  ; |DesiredAccess = GENERIC_WRITE
0012EEE8  |00000000  ; |ShareMode = 0
0012EEEC  |00000000  ; |pSecurity = NULL
0012EEF0  |00000003  ; |CreationDistribution = OPEN_EXISTING
0012EEF4  |00000004  ; |Attributes = FILE_ATTRIBUTE_SYSTEM
0012EEF8  |00000000  ; \hTemplate = NULL
0012EEFC  |0000008C
0012EF00  |0029635C  ; UNICODE "a18ca4003deb042bbee7a40f15e1970b_c19bc6df-8513-4180-b29d-d7101b5ebb4d"

CPU Stack
Address   Value      Comments
0012F920  [00404E55  ; /RETURN from WS2_32.getaddrinfo to loki.00404E55a
0012F924  /00296396  ; |Arg1 = ASCII "atharabnday. com"
0012F928  |00296288  ; |Arg2 = ASCII "80"
0012F92C  |0012F938  ; |Arg3 = 12F938
0012F930  |0012F958  ; \Arg4 = 12F958

CPU Stack
Address   Value      Comments
0012FBA8  \0040F9CA  ; /RETURN from loki.0040429B to loki.0040F9CA
0012FBAC  /002955E8  ; |Arg1 = UNICODE "C:\Users\Administrator\AppData\Roaming\4FD233\39589B.lck"
0012FBB0  |0012FBC4  ; |Arg2 = 12FBC4
0012FBB4  |00000001  ; |Arg3 = 1
0012FBB8  |00000001  ; \Arg4 = 1

CPU Stack
Address   Value      Comments
0012FBEC  \77CF9E37  ; /RETURN from ntdll.77D369DD to ntdll.77CF9E37
0012FBF0  /00270000  ; |Arg1 = 270000
0012FBF4  |50000063  ; |Arg2 = 50000063
0012FBF8  |00297688  ; \Arg3 = ASCII "http://atharabnday. com/web_content/file/log/css/Panel/five/fre.php"


ET Sig: https://doc.emergingthreats.net/bin/view/Main/2021605

SHA-256f2c2124ec57f8d171f42e5d2f4f19004687b97ff24daee75ef42e57fda7f885c

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also