The program fully supports Unicode characters so that it can copy filenames in all languages.It can also detect moved files and move them on the other side. Like Allway Sync, GoodSync and Unison, it has the capability to remember the previous state of directories in a database, and thus also synchronize deletions.Syncovery ( Super Flexible File Synchronizer until 2012) is backup and file synchronization software that allows backing up and synchronizing files to the same or different drives, to different media ( CD, DVD, Flash, zip), or to a remote server. %s\Notepad \plugins\config\NppFTP\NppFTP.Commercial proprietary, shareware version available Software\NCH Software\ClassicFTP\FTPAccounts Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook %s\QupZilla\profiles\default\browsedata.db Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete %s\Moonchild Productions\Pale Moon\Profiles\%s %s\Moonchild Productions\Pale Moon\profiles.ini %s\NETGATE Technologies\BlackHawk\Profiles\%s %s\NETGATE Technologies\BlackHawk\profiles.ini SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins Software\Microsoft\Internet Explorer\TypedURLs Software\Microsoft\Internet Explorer\IntelliForms\Storage2 \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer ![]() ![]() \Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer The following is a snippet that I pulled from PID 2380 via strings. The remaining two processes are what proceeds to scan the system looking for credentials and to ship that back to the compromised server via some POSTS that are performed. Once the file is extracted from the ACE archive and executed it spins up to later use process hollowing to create a child processes that becomes orphaned (everything is named the same). – The POSTs send data, but always present a “404 Not Found” error message – Within the traffic there is a string (seen below) labeled “” ![]() ![]() – The User-Agent is always “User-Agent: Mozilla/4.08 (Charon Inferno)” I saw this because of some patterns that are exhibited by the malware: This is a pretty straight forward LokiBot infection. MD5 hash: 36592df9bb484f3c4f7a807acc3afe9aįile name: DHL Shipment Delivery Service.scr In the meantime, if you are wanting to read a great detailed article/breakdown on LokiBot, check out this paper from Rob Pantazopoulos via the SANS Reading Room.Īrtifacts from this investigation can be found below in my Github repo located here.ħ8.128.6231 / kc3nj.loan (POST /3kc/xxx/xxx/fre.php)ģnj.loan (Found in strings of a running process)įile name: DHL Shipment Delivery Service.ace The pattern is noticeable when you look at the infection (this will be discussed later). As Brad mentioned in an older SANS ISC blog entry, the emails that LokiBot uses vary and does not seem to follow any kind of pattern. LokiBot is considered an information stealer as it looks through the system for any credentials that it can grab. For something different today, found some DHL inspired LokiBot malspam in the email filters.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |