{"id":4033,"date":"2016-01-16T02:58:16","date_gmt":"2016-01-15T18:58:16","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4033"},"modified":"2016-01-14T02:59:19","modified_gmt":"2016-01-13T18:59:19","slug":"loki-indicators-compromise-scanner","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/01\/loki-indicators-compromise-scanner\/","title":{"rendered":"LOKI &#8211; Indicators Of Compromise Scanner"},"content":{"rendered":"<p>Loki is a Indicators Of Compromise Scanner, based on 4 main methods (additional checks are available) and will present a report showing GREEN, YELLOW or RED result lines.<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/c2.staticflickr.com\/2\/1652\/24251594622_e70c7947ca.jpg\" alt=\"LOKI - Indicators Of Compromise Scanner\" \/><\/p>\n<p>The compiled scanner may be detected by antivirus engines. This is caused by the fact that the scanner is a compiled python script that implement some file system and process scanning features that are also used in compiled malware code.<\/p>\n<p>If you don&#8217;t trust the compiled executable, please compile it yourself.<\/p>\n<h3>Detection<\/h3>\n<p>Detection is based on four detection methods:<\/p>\n<ul>\n<li><strong>File Name IOC<\/strong> &#8211; Regex match on full file path\/name<\/li>\n<li><strong>Yara Rule Check<\/strong> &#8211; Yara signature match on file data and process memory<\/li>\n<li><strong>Hash Check<\/strong> &#8211; Compares known malicious hashes (MD5, SHA1, SHA256)<\/li>\n<li><strong>C2 Back Connect Check<\/strong> &#8211; Compares process connection endpoints with C2 IOCs<\/li>\n<\/ul>\n<p>There are also some additional checks available:<\/p>\n<ul>\n<li>Regin filesystem check (via &#8211;reginfs)<\/li>\n<li>Process anomaly check<\/li>\n<li>SWF decompressed scan<\/li>\n<li>SAM dump check<\/li>\n<\/ul>\n<h3>Included IOCs<\/h3>\n<p>Loki currently includes the following IOCs:<\/p>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<ul>\n<li>Equation Group Malware (Hashes, Yara Rules by Kaspersky and 10 custom rules generated by us)<\/li>\n<li>Carbanak APT &#8211; (Hashes, Filename IOCs &#8211; no service detection and Yara rules)<\/li>\n<li>Arid Viper APT &#8211; (Hashes)<\/li>\n<li>Anthem APT Deep Panda Signatures (not officialy confirmed)\/li>\n<li>Regin Malware (GCHQ \/ NSA \/ FiveEyes) (incl. Legspin and Hopscotch)<\/li>\n<li>Five Eyes QUERTY Malware<\/li>\n<li>Skeleton Key Malware (other state-sponsored Malware)<\/li>\n<li>WoolenGoldfish &#8211; (SHA1 hashes, Yara rules)<\/li>\n<li>OpCleaver (Iranian APT campaign)<\/li>\n<li>More than 180 hack tool Yara rules<\/li>\n<li>More than 600 web shell Yara rules<\/li>\n<li>Numerous suspicious file name regex signatures<\/li>\n<\/ul>\n<h3>Usage<\/h3>\n<pre>usage: loki.exe [-h] [-p path] [-s kilobyte] [--printAll] [--noprocscan]\r\n                [--nofilescan] [--noindicator] [--debug]\r\n\r\nLoki - Simple IOC Scanner\r\n\r\noptional arguments:\r\n  -h, --help     show this help message and exit\r\n  -p path        Path to scan\r\n  -s kilobyte    Maximum file site to check in KB (default 2000 KB)\r\n  --printAll     Print all files that are scanned\r\n  --noprocscan   Skip the process scan\r\n  --nofilescan   Skip the file scan\r\n  --noindicator  Do not show a progress indicator\r\n  --debug        Debug output<\/pre>\n<p><em>The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.<\/em><\/p>\n<p>You can download Loki here:<\/p>\n<p><a href=\"https:\/\/github.com\/Neo23x0\/Loki\/blob\/master\/loki.exe?raw=true\">loki.exe<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/Neo23x0\/Loki\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Loki is a Indicators Of Compromise Scanner, based on 4 main methods (additional checks are available) and will present a report showing GREEN, YELLOW or RED result lines. The compiled scanner may be detected by antivirus engines. This is caused by the fact that the scanner is a compiled python script that implement some file [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"Loki is a Indicators Of Compromise Scanner, based on 4 main methods (additional checks are available) and will present a report showing GREEN, YELLOW or RED result lines.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[12,11],"tags":[],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4033"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4033"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4033\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}