If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. They will be named after characters 13 thru 18 of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds.
This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST.
0 kommentar(er)
