Vulnerability scanner

Loki : Simple IOC Scanner | Scanner for Simple Indicators of Compromise

Written by Mubassir patel

Loki – Simple IOC Scanner

Scanner for Simple Indicators of Compromise

Detection is based on four detection methods:

1. File Name IOC
   Regex match on full file path/name

2. Yara Rule Check
   Yara signature match on file data and process memory

3. Hash check
   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.

How-To Run LOKI and Analyse the Reports

Run

  • Download the program archive via the button “Download ZIP” on the right sidebar
  • Unpack LOKI locally
  • Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
  • Right-click on loki.exe and select “Run as Administrator” or open a command line “cmd.exe” as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

Reports

  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyse the findings yourself by:
    1. uploading non-confidential samples to Virustotal.com
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for “Equation Group”)
    4. Search the web for the MD5 hash of the sample
  • Please report back false positives via the “Issues” section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)

Included IOCs

Loki currently includes the following IOCs:

  • Equation Group Malware (Hashes, Yara Rules by Kaspersky and 10 custom rules generated by us)
  • Carbanak APT – Kaspersky Report (Hashes, Filename IOCs – no service detection and Yara rules)
  • Arid Viper APT – Trendmicro (Hashes)
  • Anthem APT Deep Panda Signatures (not officialy confirmed) (krebsonsecurity.com – see Blog Post)
  • Regin Malware (GCHQ / NSA / FiveEyes) (incl. Legspin and Hopscotch)
  • Five Eyes QUERTY Malware (Regin Keylogger Module – see: Kaspesky Report)
  • Skeleton Key Malware (other state-sponsored Malware) – Source: Dell SecureWorks Counter Threat Unit(TM)
  • WoolenGoldfish – (SHA1 hashes, Yara rules) Trendmicro Report
  • OpCleaver (Iranian APT campaign) – Source: Cylance
  • More than 180 hack tool Yara rules – Source: APT Scanner THOR
  • More than 600 web shell Yara rules – Source: APT Scanner THOR
  • Numerous suspicious file name regex signatures – Source: APT Scanner THOR
  • Much more … (cannot update the list as fast as I include new signatures)

Loki is the new generic scanner that combines most of the features from my recently published scanners: ReginScanner and SkeletonKeyScanner.

Requirements

No requirements if you use the compiled EXE.

If you want to build it yourself:

  • yara : It’s recommended to use the most recent version of the compiled packages for Windows (x86) – Download it from here: http://goo.gl/PQjmsf
  • scandir : faster alternative to os.walk()
  • colorama : to color it up
  • psutil : process checks

Usage

usage: loki.exe [-h] [-p path] [-s kilobyte] [--printAll] [--noprocscan]
                [--nofilescan] [--noindicator] [--debug]

Loki - Simple IOC Scanner

optional arguments:
  -h, --help     show this help message and exit
  -p path        Path to scan
  -s kilobyte    Maximum file site to check in KB (default 2000 KB)
  --printAll     Print all files that are scanned
  --noprocscan   Skip the process scan
  --nofilescan   Skip the file scan
  --noindicator  Do not show a progress indicator
  --debug        Debug output

Screenshots

Loki Scan

Screen

Regin Matches

Screen

Regin False Positives

Screen

Hash based IOCs

Screen

File Name based IOCs

Screen

Generated log file

Screen

 

Antivirus – False Positives

The compiled scanner may be detected by antivirus engines. This is caused by the fact that the scanner is a compiled python script that implement some file system and process scanning features that are also used in compiled malware code.

If you don’t trust the compiled executable, please compile it yourself.

Compile the Scanner

Download PyInstaller, switch to the pyinstaller program directory and execute:

python ./pyinstaller.py -F C:\path\to\loki.py

This will create a loki.exe in the subfolder ./loki/dist.

Pro Tip (optional)

To include the msvcr100.dll to improve the target os compatibility change the line in the file ./loki/loki.spec that contains a.bianries, to the following:

a.binaries + [('msvcr100.dll', 'C:\Windows\System32\msvcr100.dll', 'BINARY')],

About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment