Shulou(Shulou.com)06/01 Report--

Report reference

(1) New Loki variants are transmitted through PDF files.

Https://www.fortinet.com/blog/threat-research/new-loki-variant-being-spread-via-pdf-file.html

(2) Analysis of new Fareit varieties.

Https://www.fortinet.com/blog/threat-research/new-fareit-variant-analysis.html

Fareit family

Network clipping C feature: / gate.php

Loki steals malware

External form:

The first release path of the virus: C:\ Users\ XX\ AppData\ Roaming

Virus process: anydesk.exe

Release virus name: 33CAF5.exe

Have hidden file attribute

Released copy directory:

C:\ Users\ xx\ AppData\ Roaming\ Microsoft\ Skype.exe

The basic information of each file obtained:

Desktop\ 33CAF5.exe size: 430080 bytes version: 5.06.0006 revision time: April 25, 2018, 8:45:05MD5: 6C1E5DA8CF6A810F6B0F581FB9808EA7SHA1: 1F32DFD05102052EB632D9809DA42CFDE6C2369BCRC32: 676C4584Desktop\ 33CAF5\ 33CAF5.exe size: 1132544 bytes modification time: may 18, 2018, 14:32:51MD5: 39D444AC90BD7C1D16A18AE2F5DBAD04SHA1: E98E064B0DB36C11A99A153AD74F6BF51BF478DACRC32: 7D518DEEDesktop\ anydesk\ anydesk.exe size: 1132544 bytes modification time: may 18, 2018, 14:32:51MD5: 39D444AC90BD7C1D16A18AE2F5DBAD04SHA1: E98E064B0DB36C11A99A153AD74F6BF51BF478DACRC32: 7D518DEE

The registry key contains network information:

HKEY_LOCAL_MACHINE\ http://bs-shipmanaqement.com/albert/anel/five/fre[.]php

Obtain account password information through the registry

Identical point

1. Secret-stealing software

2 get the software installation through the registry

3 read password file to search for username and password in memory

4 connecting to the network to send data

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.