Simple IOC and Incident Response Scanner: Loki

2018-03-18T06:45:59
ID N0WHERE:32345
Type n0where
Reporter N0where
Modified 2018-03-18T06:45:59

Description

LOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full featured APT Scanner THOR. IOC stands for „Indicators of Compromise“. These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab.

LOKI offers a simple way to scan your systems for known IOCs.

It supports these different types of indicators:

  • MD5 / SHA1 / SHA256 hashes
  • Yara Rules (applied to file data and process memory)
  • Hard Indicator Filenames based on Regular Expression (e.g. \\pwdump\.exe)
  • Soft Indicator Filenames based on Regular Expressions (e.g. Windows\\[\w]\.exe)

The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.

Free & Simple Indicators of Compromise Scanner: Loki

Detection is based on four detection methods:

  1. File Name IOC
    Regex match on full file path/name
  2. Yara Rule Check
    Yara signature match on file data and process memory
  3. Hash check
    Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
  4. C2 Back Connect
    Check Compares process connection endpoints with C2 IOCs (new since version v.10 )

Additional Checks:

  1. Regin filesystem check (via –reginfs)
  2. Process anomaly check (based on Sysforensics
  3. SWF decompressed scan (new since version v0.8)
  4. SAM dump check
  5. DoublePulsar check – tries to detect DoublePulsar backdoor on port 445/tcp and 3389/tcp

The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.

How-To Run LOKI and Analyse the Reports

Run

  • Download the latest LOKI version from the releases section
  • Run it once to retrieve the latest signature base repository
  • Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
  • Right-click on loki.exe and select “Run as Administrator” or open a command line “cmd.exe” as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

Reports

  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyse the findings yourself by:
    1. uploading non-confidential samples to Virustotal.com
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for “Equation Group”)
    4. Search the web for the MD5 hash of the sample
    5. Search in my customer APT search engine for file names or identifiers
  • Please report back false positives via the Issues section (mention the false positive indicator like a hash and/or filename and the rule name that triggered)

Usage

usage: loki.exe [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
                [-a alert-level] [-w warning-level] [-n notice-level]
                [--printAll] [--allreasons] [--noprocscan] [--nofilescan]
                [--scriptanalysis] [--rootkit] [--noindicator] [--reginfs]
                [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
                [--update] [--debug]

Loki - Simple IOC Scanner

optional arguments:
  -h, --help         show this help message and exit
  -p path            Path to scan
  -s kilobyte        Maximum file size to check in KB (default 5000 KB)
  -l log-file        Log file
  -r remote-loghost  Remote syslog system
  -a alert-level     Alert score
  -w warning-level   Warning score
  -n notice-level    Notice score
  --printAll         Print all files that are scanned
  --allreasons       Print all reasons that caused the score
  --noprocscan       Skip the process scan
  --nofilescan       Skip the file scan
  --scriptanalysis   Activate script analysis (beta)
  --rootkit          Skip the rootkit check
  --noindicator      Do not show a progress indicator
  --reginfs          Do check for Regin virtual file system
  --dontwait         Do not wait on exit
  --intense          Intense scan mode (also scan unknown file types and all
                     extensions)
  --csv              Write CSV log format to STDOUT (machine prcoessing)
  --onlyrelevant     Only print warnings or alerts
  --nolog            Don't write a local log file
  --update           Update the signatures from the "signature-base" sub
                     repository
  --debug            Debug output

Simple IOC and Incident Response Scanner: Loki Download