LOKI – Indicators Of Compromise Scanner


Loki is a Indicators Of Compromise Scanner, based on 4 main methods (additional checks are available) and will present a report showing GREEN, YELLOW or RED result lines.

LOKI - Indicators Of Compromise Scanner

The compiled scanner may be detected by antivirus engines. This is caused by the fact that the scanner is a compiled python script that implement some file system and process scanning features that are also used in compiled malware code.

If you don’t trust the compiled executable, please compile it yourself.

Detection

Detection is based on four detection methods:

  • File Name IOC – Regex match on full file path/name
  • Yara Rule Check – Yara signature match on file data and process memory
  • Hash Check – Compares known malicious hashes (MD5, SHA1, SHA256)
  • C2 Back Connect Check – Compares process connection endpoints with C2 IOCs

There are also some additional checks available:

  • Regin filesystem check (via –reginfs)
  • Process anomaly check
  • SWF decompressed scan
  • SAM dump check

Included IOCs

Loki currently includes the following IOCs:


  • Equation Group Malware (Hashes, Yara Rules by Kaspersky and 10 custom rules generated by us)
  • Carbanak APT – (Hashes, Filename IOCs – no service detection and Yara rules)
  • Arid Viper APT – (Hashes)
  • Anthem APT Deep Panda Signatures (not officialy confirmed)/li>
  • Regin Malware (GCHQ / NSA / FiveEyes) (incl. Legspin and Hopscotch)
  • Five Eyes QUERTY Malware
  • Skeleton Key Malware (other state-sponsored Malware)
  • WoolenGoldfish – (SHA1 hashes, Yara rules)
  • OpCleaver (Iranian APT campaign)
  • More than 180 hack tool Yara rules
  • More than 600 web shell Yara rules
  • Numerous suspicious file name regex signatures

Usage

The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.

You can download Loki here:

loki.exe

Or read more here.

Posted in: Countermeasures, Security Software


Latest Posts:


BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads


Comments are closed.