Lokibot — Gutter Thief in the Night
or
If you are a man and a gorgeous woman whom you never met propositions you, only a fool would think something is not amiss hence why would you click on that picture of a model so you can ogle in private especially since you don’t know where it came from
As you may already know from my rantings, here at Cybercrypto we have respect for good malware, and if you have not read my rantings then let me reiterate, any person that has a basic understanding of scripting can put together insidious ransomware that collapses your system therefore showing the world “LOOK AT ME!! I GOT YOU TO CLICK ON SOMETHING THAT HAS CAUSED YOU TO CEASE OPERATION AND I WILL CHARGE YOU MONEY” It takes strategy and a certain level of finesse to write something that sits on a computer sending all its data out unbeknownst to the user. Subterfuge is an art.
It is in that spirit that we are looking at Lokibot. This type of malware is an information stealer that will take credentials as well as other sensitive data from the infected host to a command and control server. Most of the time the infection vector occurs through spam. For the most part (and there are several exceptions), when the infection vector is email (which is usually characterized by phishing), the item must be clicked on and activated, so keep that in mind, the user must run the malware so it can be activated. Once the malware is activated it unpacks itself, this is no different than when a user installs software on a computer.
The malware in this case has a file name of nudemodel.jpg.exe. Below are the hash id’s for the file:
Size 1.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2df7a83872148d20484b66975d30fee6
SHA1 de22b923a8a6904daa1792b7936b2a1336637e6f
SHA256 781b531a40218128d466d79a1c1b94a233c35af926264141b47efa7e5b8e7b57
SHA512 2074d68c9f73e2d62339200e4e6a14d84c6cdc81d01310be8f993c1a43bed76556741b299b95db897f1b7609e1b1974cd2a0d64f17500db01c001bd39685e9c2
CRC32 2670043B
ssdeep 24576:ErRoraaLCu/LNPuvrz9aEEDgaKIjwnGYCjRiPr8lv9:ErR6XhuvrRaE1nITki
Part One:
Before looking at the first appearance, a static overview of the file helps, keep in mind we know this is Lokibot. In a real attack you don’t know that, the user only gets to figure that out post homicide and at that point, it is called forensics. Therefore, we look at the file to learn a little more about it before going into the first appearance and analyzing what it does.
Section One –
Through static analysis we can pull the following version info from the malware –
Legal Copyright Copyright Byte Technologies LLC.
File Version 1.2
CompanyName Byte Technologies LLC.
ProductName ByteFence
ProductVersion 1.2
FileDescription ByteFence Real-time Protection Service
Translation 0x0409 0x04b0
ByteFence is a bad Malwarebytes bastardized clone with genetic defects. We have seen that pushed on systems via bundled installers. It is unclear to us as to why this version info is on the malware. A cursory search with ByteFence and lokibot did not return anything of value.
There is something different though that stands out about this sample.
At offset 0x000c9498 we see jpeg image data. There is an image packed in there. Here is what it looks like:
Steganography is the art of hiding data within an image or similar to avoid detection. If the offsets are referencing an image file, then you can be sure that the malware is going to reference it at some point in the process. This is very interesting as the image opens up with no error, and such image is packed with instructions.
Part Two:
A Journey into The Absurd
Section One:
The file in question is nudemodel.jpg.exe. Once the file is clicked, the executable is dropped. We see the file below dropped in the C:\Users\username\AppData\Roaming directory. The name of the executable file is called jkcgjj.exe. Here at this point though nothing damaging has happened we should have an alert. Why? An executable has dropped a file to the user directory in AppData\Roaming\ — these are directories that should be monitored for activity as they serve as an indicator of the user’s activity.
A) Sandbox -
filename: C:\Users\admin\AppData\Roaming\jkcgjj.exe
access: READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
device: DISK_FILE_SYSTEM
name: C:\Users\admin\AppData\Roaming\jkcgjj.jpg
object: FILE
operation: CREATE
Note: For the analysis at the workstation level as in previous articles we draw directly from the logs to obtain a granular understanding of what is going on. Our logs are written to our alert system, so we capture everything, and we are able to see this as it is happening.
B) Windows workstation:
There are some interesting things to note here, if you are capturing information properly then you will be alerted to this odd activity.
Figure 1:
Event ID: 4688
A new process has been created
Creator Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0xBEFE0D
Target Subject:
Security ID: S-1–0–0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x255c
New Process Name: C:\Windows\System32\pcwrun.exe
Token Elevation Type: %%1936
Mandatory Label: S-1–16–12288
Creator Process ID: 0x228c
Creator Process Name: C:\Windows\explorer.exe
Process Command Line: C:\WINDOWS\system32\pcwrun.exe “C:\temp\nudemodel.jpg.exe” ContextMenu
Figure 2:
Process Create:
RuleName:
UtcTime: 2019–08–07 22:42:33.835
ProcessGuid: {F9A5ADB1–53D9–5D4B-0000–001072AF3DDE}
ProcessId: 9732
Image: C:\Windows\System32\msdt.exe
FileVersion: 10.0.17134.1 (WinBuild.160101.0800)
Description: Diagnostics Troubleshooting Wizard
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: C:\WINDOWS\System32\msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\Users\ADMINI~1\AppData\Local\Temp\PCW4DDF.xml /skip TRUE
CurrentDirectory: C:\WINDOWS\system32\
User: PROJECTFARSCAPE\Administrator
LogonGuid: {F9A5ADB1–9A71–5D33–0000–00200DFEBE00}
LogonId: 0xBEFE0D
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=9835087FFD1A7760D7630FCF8661D38A54CBF75A
ParentProcessGuid: {F9A5ADB1–53D9–5D4B-0000–0010ECAA3DDE}
ParentProcessId: 9564
ParentImage: C:\Windows\System32\pcwrun.exe
ParentCommandLine: C:\WINDOWS\system32\pcwrun.exe “C:\temp\nudemodel.jpg.exe” ContextMenu
In Figure 1 we see a new process being created, The parent command line is spawned from the windows\system32 directory — pcwrun.exe. This executable is the Program Compatibility Troubleshooter Invoker. We also see msdt.exe which is the Diagnostic Troubleshooting Wizard launch. We capture sysmon logs which allow us to get a more concise yet streamlined view of what is happening, in this case we see the flags skip TRUE in the command line for msdt.exe which allows you to skip the first screen and jump straight to the diagnostics. This in itself is sneaky –
Our parent commandline :
C:\WINDOWS\system32\pcwrun.exe “C:\temp\nudemodel.jpg.exe” ContextMenu
Now spawns the following command line –
CommandLine: C:\WINDOWS\System32\msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\Users\ADMINI~1\AppData\Local\Temp\PCW4DDF.xml /skip TRUE
This allows for a UAC bypass, though -elevated is not in the command line so it is somewhat debatable. What is not debatable is the next event we see –
Figure 3:
Process Create:
RuleName:
UtcTime: 2019–08–07 22:42:33.795
ProcessGuid: {F9A5ADB1–53D9–5D4B-0000–0010ECAA3DDE}
ProcessId: 9564
Image: C:\Windows\System32\pcwrun.exe
FileVersion: 10.0.17134.1 (WinBuild.160101.0800)
Description: Program Compatibility Troubleshooter Invoker
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: C:\WINDOWS\system32\pcwrun.exe “C:\temp\nudemodel.jpg.exe” ContextMenu
CurrentDirectory: C:\WINDOWS\system32\
User: PROJECTFARSCAPE\Administrator
LogonGuid: {F9A5ADB1–9A71–5D33–0000–00200DFEBE00}
LogonId: 0xBEFE0D
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=4594AC562924330DEEE8D70C587C4F339DD6A8E2
ParentProcessGuid: {F9A5ADB1–60EC-5D47–0000–0010CC3CCDBA}
ParentProcessId: 8844
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\WINDOWS\explorer.exe /NOUACCHECK
Note the ParentCommandLine — NOUACCHECK from explorer.exe. This is our UAC bypass. Figure 1 to 3 are alerts provided to us by our system. There is no reason why this should be happening in your infrastructure, once you see them come up on your dashboard best to run or remote into that machine immediately. It is obvious that something is happening
We follow up now with another occurrence –
Figure 4:
Event ID: 4656
A handle to an object was requested.
Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0xBEFE0D
Object:
Object Server: Security
Object Type: File
Object Name: C:\temp\nudemodel.jpg.exe
Handle ID: 0xa30
Resource Attributes: -
Process Information:
Process ID: 0x249c
Process Name: C:\Windows\System32\sdiagnhost.exe
Access Request Information:
Transaction ID: {00000000–0000–0000–0000–000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Access Reasons: READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;FA;;;S-1–5–21–372134654–1229274158–1178834050–500)
ReadData (or ListDirectory): Granted by D:(A;;FA;;;S-1–5–21–372134654–1229274158–1178834050–500)
ReadEA: Granted by D:(A;;FA;;;S-1–5–21–372134654–1229274158–1178834050–500)
ReadAttributes: Granted by D:(A;;FA;;;S-1–5–21–372134654–1229274158–1178834050–500)
Access Mask: 0x120089
Privileges Used for Access Check: -
Restricted SID Count: 0
sdiagnhost.exe is the Scripted Diagnostics Native host. It is used primarily during program installation and keeping of track of when and where errors occur. The malware has requested a handle to this system process. That means something is about to launch.
Here is where things get odd –
Part Three
Section One — The Drop
In Part Two of Section One we saw bizarre activity in the AppData\Roaming directory and warned that this directory should be monitored. The malware dropped an image in the directory. This is the image at the offset 0x000c9498. It was dropped there by the malware.
A) Sandbox
2.
B) Windows workstation:
Figure 5:
Event ID: 4633
An attempt was made to access an object.
Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0xBEFE0D
Object:
Object Server: Security
Object Type: File
Object Name: C:\Users\Administrator\AppData\Roaming\jkcgjj.jpg
Handle ID: 0x298
Resource Attributes:
Process Information:
Process ID: 0x2720
Process Name: C:\temp\nudemodel.jpg.exe
Access Request Information:
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
Access Mask: 0x6
The malware has dropped the image and now we have steganography at play.
Part Four — Sky is falling
The malware is dropping more files and working, specifically:
A) Sandbox
1)
2) The application launches itself
3) We see a Visual Basic file show up and the registry is modified
B) Windows workstation —
1)
Figure 6
Event ID: 4656
A handle to an object was requested.
(Don’t see this everyday)
Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0xBEFE0D
Object:
Object Server: Security
Object Type: File
Object Name: C:\Users\Administrator\AppData\Roaming\jkcgjj.jpg
Handle ID: 0x26c
Resource Attributes: -
Process Information:
Process ID: 0x27a8
Process Name: C:\Users\Administrator\AppData\Roaming\jkcgjj.exe
Access Request Information:
Transaction ID: {00000000–0000–0000–0000–000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Access Reasons: READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;FA;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;FA;;;BA)
ReadEA: Granted by D:(A;;FA;;;BA)
ReadAttributes: Granted by D:(A;;FA;;;BA)
Access Mask: 0x120089
Privileges Used for Access Check: -
Restricted SID Count: 0
The executable that drops is making a request to the image. This is damning yet incredibly fascinating. I re-
emphasize — an executable file is making an object call to an image file. Sheer genius
2)
Figure 7
Event ID: 4663
An attempt was made to access an object
Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0xBEFE0D
Object:
Object Server: Security
Object Type: File
Object Name: C:\Users\Administrator\AppData\Local\jkcgjj\jkcgjj.vbs
Handle ID: 0x234
Resource Attributes:
Process Information:
Process ID: 0x938
Process Name: C:\Users\Administrator\AppData\Roaming\jkcgjj.exe
Access Request Information:
Accesses: WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) Access Mask: 0x6 127388478
That same executable that was dropped earlier is attempting to access a visual basic file. Though we have not done a reverse analysis on the malware, it would be a safe bet that the vbs file is used for execution.
3)
Figure 8
Event ID: 4656
A handle to an object was requested.
Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0xBEFE0D
Object:
Object Server: Security
Object Type: File
Object Name: C:\Users\Administrator\AppData\Roaming\90E60C\C8391F.exe
Handle ID: 0x2d0
Resource Attributes: -
Process Information:
Process ID: 0x938
Process Name: C:\Users\Administrator\AppData\Roaming\jkcgjj.exe
Access Request Information:
Transaction ID: {00000000–0000–0000–0000–000000000000}
Accesses: SYNCHRONIZE
WriteAttributes
Access Reasons: SYNCHRONIZE: Granted by D:(A;;FA;;;BA)
WriteAttributes: Granted by D:(A;;FA;;;BA)
Access Mask: 0x100100
Privileges Used for Access Check: -
Restricted SID Count: 0
Finally, we see the executable access another file that shown up, C8391F.exe here we have a handle to an object being requested. In our sandbox we see it by another name.
In the sample we examined, the naming convention of the file that is generated after the vbs does its work is dynamic — you will never get the same filename, this is usually by design. I should note that we do watch for registry changes and the below came up:
WRITE
+78835ms
Key: HKEY_CURRENT_USER\http://myxojine.xyz/slk/cat.php
Name: F3F363
Value: %APPDATA%\F3F363\3C28B3.exe
To see this as a registry entry after the vbs goes to work is odd, suffice to say the server was offline but judging by this the malware was going to make further registry changes based on some instruction from the server.
Conclusion:
There are two constants that resonate through all our analysis:
1) There is a vector of infection, that could be the browser, email, a USB connection, or a network connection. The vector will lay the genesis of how our patient zero is spawned and proceeds to infect the system. There is always a vector of infection, there is no escaping this. The first event will always be the activation of the malware — the very beginning. This could be opening a file, clicking on a document, or going to a compromised website. There is an action that must be committed otherwise the infection cannot spawn.
2) Malware is just not a script kiddie putting together some code for ransomware, keylogger, etc, to steal your data. People write bots that connect to command and control servers and write malware that is highly functional. However, we are noticing in certain forums that individuals are taking malware like lokibot and making changes and setting them loose in the wild.
It is essential to monitor certain directories and look for indicators that present as something being outside of the norm. Human eyes are needed, an understanding that can only come from a person. Hence when your operator receives an alert that there are executables being open in the
C:\Users\Administrator\AppData\Roaming, then it is imperative for them to go check, better to be a false alarm then missing the match that lit the fuse. While it is important to understand what the malware does, it is even more important to look for indicators of your system being compromised.