Analysis
-
max time kernel
151s -
max time network
119s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
11-07-2020 06:10
Static task
static1
Behavioral task
behavioral1
Sample
b29f77bf9d9c0c91f62a930ee7c900e7.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b29f77bf9d9c0c91f62a930ee7c900e7.exe
Resource
win10
General
-
Target
b29f77bf9d9c0c91f62a930ee7c900e7.exe
-
Size
1.0MB
-
MD5
b29f77bf9d9c0c91f62a930ee7c900e7
-
SHA1
4d3efdfc28be25aab74bf08bd6b91ad6fda23aa4
-
SHA256
c9a1e7bfb01b6f8f269a6b04cde83384edaec1d81edf3280d595153e7a148b23
-
SHA512
9de547f84e3778e999ceb05c1df896505aa3d41544a35a9fd644f1829cf8ab97ae507066fcdbd0539fc1ba5e5d5d2f9f23f5613201064227cd513f2852fe9103
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
jskkd.exepid process 908 jskkd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe:ZoneIdentifier notepad.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
b29f77bf9d9c0c91f62a930ee7c900e7.exenotepad.exejskkd.exedescription pid process target process PID 1388 wrote to memory of 1444 1388 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 1388 wrote to memory of 1444 1388 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 1388 wrote to memory of 1444 1388 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 1388 wrote to memory of 1444 1388 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 1388 wrote to memory of 1444 1388 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 1388 wrote to memory of 1444 1388 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 1444 wrote to memory of 1528 1444 notepad.exe jskkd.exe PID 1444 wrote to memory of 1528 1444 notepad.exe jskkd.exe PID 1444 wrote to memory of 1528 1444 notepad.exe jskkd.exe PID 1444 wrote to memory of 1528 1444 notepad.exe jskkd.exe PID 1528 wrote to memory of 908 1528 jskkd.exe jskkd.exe PID 1528 wrote to memory of 908 1528 jskkd.exe jskkd.exe PID 1528 wrote to memory of 908 1528 jskkd.exe jskkd.exe PID 1528 wrote to memory of 908 1528 jskkd.exe jskkd.exe PID 1528 wrote to memory of 372 1528 jskkd.exe jskkd.exe PID 1528 wrote to memory of 372 1528 jskkd.exe jskkd.exe PID 1528 wrote to memory of 372 1528 jskkd.exe jskkd.exe PID 1528 wrote to memory of 372 1528 jskkd.exe jskkd.exe -
Loads dropped DLL 2 IoCs
Processes:
notepad.exepid process 1444 notepad.exe 1444 notepad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jskkd.exedescription pid process Token: SeDebugPrivilege 908 jskkd.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/908-7-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/908-10-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/908-13-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fhukw.vbs notepad.exe -
Suspicious behavior: EnumeratesProcesses 1361 IoCs
Processes:
b29f77bf9d9c0c91f62a930ee7c900e7.exejskkd.exejskkd.exepid process 1388 b29f77bf9d9c0c91f62a930ee7c900e7.exe 1528 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe 372 jskkd.exe -
Executes dropped EXE 3 IoCs
Processes:
jskkd.exejskkd.exejskkd.exepid process 1528 jskkd.exe 908 jskkd.exe 372 jskkd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jskkd.exedescription pid process target process PID 1528 set thread context of 908 1528 jskkd.exe jskkd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jskkd.exepid process 1528 jskkd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jskkd.exepid process 908 jskkd.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file
Processes
-
C:\Users\Admin\AppData\Local\Temp\b29f77bf9d9c0c91f62a930ee7c900e7.exe"C:\Users\Admin\AppData\Local\Temp\b29f77bf9d9c0c91f62a930ee7c900e7.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1388 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops startup file
PID:1444 -
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1528 -
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:908 -
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe" 2 908 911664⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
memory/372-11-0x0000000000000000-mapping.dmp
-
memory/908-7-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/908-8-0x000000000053F9D0-mapping.dmp
-
memory/908-10-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/908-13-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/908-14-0x0000000001F10000-0x0000000001FAA000-memory.dmpFilesize
616KB
-
memory/908-15-0x0000000002062000-0x0000000002063000-memory.dmpFilesize
4KB
-
memory/908-16-0x0000000000330000-0x00000000003C3000-memory.dmpFilesize
588KB
-
memory/1444-0-0x0000000000000000-mapping.dmp
-
memory/1444-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1528-4-0x0000000000000000-mapping.dmp