Malspam Delivers Pony and Loki-Bot

malwarebreakdown on March 19, 2018

Originally posted at malwarebreakdown.com
Follow me on Twitter

Sender: user1@enteronly.com.tw
Subject: RE: Payment IN-2716 – MPA-PI17045 – USD
Attachment(s): Payment_001.doc and Payment_002.doc

Email

Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882.

Payment_001.doc:

Doc 1

Traffic:

Traffic 1 doc 1

User-Agent: Windows Installer

Traffic 2 doc 1

User Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Pony Panel:

pony 2

pony 1

Image found at hxxp://paclficinsight[.]com/new1/pony/china.jpg

IOCs

Network:

  • 94.102.1.194 – hxxps://agahguner.com GET /44.msi
  • 94.102.60.3 – hxxp://paclficinsight.com POST /new1/pony/gate.php

File System:

bat file in TEMP created by Pony

Batch script created in %TEMP% is meant to delete Pony Loader after execution

Hashes and Reports:

SHA256: 788884332fc1c199107310ff5b6af4d8605ff3bdd5e67f6a4bc5db55a03321b1
File name: Payment_001.doc
Sandbox: Hybrid-Analysis and Any.Run

SHA256: c9f16df9b26cafefc4ca3fc58cbcee621b7ffe49a4e702b0e73f5604f27aec87
File name: 44.msi
Sandbox: Hybrid-Analysis

SHA256: 8e1c9cf4466e9cd09d19d491855f1285f7bf711c452afe1f674ef0d1a9e056dd
File name: MSI50AC.tmp.exe
Sandbox: Hybrid-Analysis

Payment_002.doc:

Doc 2

Traffic:

Traffic 1 doc 2

User-Agent: Windows Installer

Traffic 2 doc 2

Loki-Bot User-Agent: Mozilla/4.08 (Charon; Inferno)

IOCs

Network:

  • 94.102.1.194 – hxxps://agahguner.com GET /55.msi
  • 94.102.60.3 – hxxp://paclficinsight.com POST /new/Panel/five/fre.php

File System:

Doc 2 File 2

Loki-Bot creates hidden folder in %AppData%. The hidden folder and the executable created in %AppData% are named partly from the Bot GUID.

Registry:

Doc 2 Registry

Loki-Bot Panel:

lokibot panel edited

 

 

 

 

 

Hashes and Reports:

SHA256: 2fdc22d8926db1b04dc3d62ff6da72236cb1c052b23553b644c7f18ea8496d8a
File name: Payment_002.doc
Sandbox: Hybrid-Analysis and Any.Run

SHA256: 6bfa353f905c0fc5ded87e7f35dc939e7b757ea3f2f8372f81f0ac40edadd619
File name: 55.msi
Sandbox: Hybrid-Analysis

SHA256: 3f5240c924074995651c4ccac15ddfd0070beff93625dcea9db118ab32bad61d
File name: B23EAF.exe
Sandbox: Hybrid-Analysis

Samples

Malspam Delivers Pony and LokiBot 031818

Password is “infected”

References:

https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

  1. Ram Sharma March 19, 2018 at 8:53 PM

    Hi.

    It may seem like a stupid question, but I’m fairly new to malware hunting and was wondering how to you fetch samples from a malware panel like the one mentioned here?

    Any help is greatly appreciated.

    Thanks.

    Like

    Reply

    1. malwarebreakdown March 19, 2018 at 9:20 PM

      Twitter is a great resource as researchers routinely post the location of malware samples in open directories and panel locations. For example: https://twitter.com/search?q=%23LokiBot%20panel&src=typd

      Hope that helps.

      Like

      Reply

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: