Malware-Traffic-Analysis.net - 2017-06-12 - Lokibot infection
Archived: 2026-04-05 17:23:36 UTC
NOTICE:
The zip archives on this page have been updated, and they now use the new password scheme.  For the new
password, see the "about" page of this website.
ASSOCIATED FILES:
2017-06-12-Lokibot-infection-traffic.pcap.zip   2.5 kB (2,545 bytes)
2017-06-12-Lokibot-infection-traffic.pcap   (9,334 bytes)
2017-06-12-Lokibot-email-and-malware.zip   486.0 kB (485,984 bytes)
2017-06-12-Lokibot-malspam-0137-UTC.eml   (213,873 bytes)
PO12062017.ace   (157,430 bytes)
PO12062017.exe   (327,680 bytes)
NOTES:
Somewhat similar to the Lokibot activity I documented last week on 2017-06-07
Today the email had an attached zip archive containing was a Word document with an embedded .js file
that downloaded Lokibot.
This time it was an ACE archive attachment that contained the Windows EXE for Lokibot.
EMAILS
http://www.malware-traffic-analysis.net/2017/06/12/index.html
Page 1 of 4

Shown above:  Screen shot from the email.
EMAIL HEADERS:
Date:  Monday 2017-06-12 at 01:37 UTC
From:  "Amina Diab" <dxboman@emirates[.]net[.]ae>
Subject:  Re: PURCHASE ORDER 457211
Attachment:  PO12062017.ace
http://www.malware-traffic-analysis.net/2017/06/12/index.html
Page 2 of 4

Shown above:  Malicious executable in ACE archive from the malspam.
TRAFFIC
Shown above:  Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
192.99.2[.]94 port 80 - 192.99.2[.]94 - POST /~sadrenam/mmt/Panel/five/fre.php
FILE HASHES
ACE ARCHIVE FROM THE EMAIL:
SHA256 hash:  42306a26580cf29068f1a716aaa61d1a4921b2206f3e8234d86d6fcc607d7be8
File size:  157,430 bytes
File name:  PO12062017.ace
MALICIOUS BINARY EXTRACTED FROM THE ACE ARCHIVE (LOKI BOT):
http://www.malware-traffic-analysis.net/2017/06/12/index.html
Page 3 of 4

SHA256 hash:  7e9c05cff0e0ac10640100c801c3f56470fb6166bbf4e67fa28c63af683458e4
File size:  327,680 bytes
File name:  PO12062017.exe
File location on the infected host:  C:\Users\[username]\AppData\Roaming\[subfolder]\[filename].exe
ADDITIONAL FILE NOTED ON THE INFECTED HOST:
SHA256 hash:  121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
File location:  C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
File size:  20,992 bytes
File description:  Appears to be a copy of the legitimate Microsoft file svchost.exe
IMAGES
Shown above:  Updated Windows registry with the same file as last time.
Click here to return to the main page.
Source: http://www.malware-traffic-analysis.net/2017/06/12/index.html
http://www.malware-traffic-analysis.net/2017/06/12/index.html
Page 4 of 4