Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
11-07-2020 06:10
Static task
static1
Behavioral task
behavioral1
Sample
b29f77bf9d9c0c91f62a930ee7c900e7.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b29f77bf9d9c0c91f62a930ee7c900e7.exe
Resource
win10
General
-
Target
b29f77bf9d9c0c91f62a930ee7c900e7.exe
-
Size
1.0MB
-
MD5
b29f77bf9d9c0c91f62a930ee7c900e7
-
SHA1
4d3efdfc28be25aab74bf08bd6b91ad6fda23aa4
-
SHA256
c9a1e7bfb01b6f8f269a6b04cde83384edaec1d81edf3280d595153e7a148b23
-
SHA512
9de547f84e3778e999ceb05c1df896505aa3d41544a35a9fd644f1829cf8ab97ae507066fcdbd0539fc1ba5e5d5d2f9f23f5613201064227cd513f2852fe9103
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2668 IoCs
Processes:
b29f77bf9d9c0c91f62a930ee7c900e7.exejskkd.exejskkd.exepid process 3100 b29f77bf9d9c0c91f62a930ee7c900e7.exe 3100 b29f77bf9d9c0c91f62a930ee7c900e7.exe 3324 jskkd.exe 3324 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe 3836 jskkd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
b29f77bf9d9c0c91f62a930ee7c900e7.exenotepad.exejskkd.exedescription pid process target process PID 3100 wrote to memory of 3936 3100 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 3100 wrote to memory of 3936 3100 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 3100 wrote to memory of 3936 3100 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 3100 wrote to memory of 3936 3100 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 3100 wrote to memory of 3936 3100 b29f77bf9d9c0c91f62a930ee7c900e7.exe notepad.exe PID 3936 wrote to memory of 3324 3936 notepad.exe jskkd.exe PID 3936 wrote to memory of 3324 3936 notepad.exe jskkd.exe PID 3936 wrote to memory of 3324 3936 notepad.exe jskkd.exe PID 3324 wrote to memory of 3864 3324 jskkd.exe jskkd.exe PID 3324 wrote to memory of 3864 3324 jskkd.exe jskkd.exe PID 3324 wrote to memory of 3864 3324 jskkd.exe jskkd.exe PID 3324 wrote to memory of 3836 3324 jskkd.exe jskkd.exe PID 3324 wrote to memory of 3836 3324 jskkd.exe jskkd.exe PID 3324 wrote to memory of 3836 3324 jskkd.exe jskkd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jskkd.exedescription pid process target process PID 3324 set thread context of 3864 3324 jskkd.exe jskkd.exe -
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe:ZoneIdentifier notepad.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/3864-4-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3864-8-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3864-9-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fhukw.vbs notepad.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jskkd.exedescription pid process Token: SeDebugPrivilege 3864 jskkd.exe -
Executes dropped EXE 3 IoCs
Processes:
jskkd.exejskkd.exejskkd.exepid process 3324 jskkd.exe 3864 jskkd.exe 3836 jskkd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jskkd.exepid process 3324 jskkd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jskkd.exepid process 3864 jskkd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
jskkd.exepid process 3864 jskkd.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b29f77bf9d9c0c91f62a930ee7c900e7.exe"C:\Users\Admin\AppData\Local\Temp\b29f77bf9d9c0c91f62a930ee7c900e7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Drops startup file
PID:3936 -
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:3324 -
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:3864 -
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe"C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe" 2 3864 583284⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:3836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
C:\Users\Admin\AppData\Roaming\appdata\jskkd.exe
-
memory/3324-1-0x0000000000000000-mapping.dmp
-
memory/3836-7-0x0000000000000000-mapping.dmp
-
memory/3864-4-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/3864-5-0x000000000053F9D0-mapping.dmp
-
memory/3864-8-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/3864-9-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/3864-11-0x0000000002350000-0x00000000023EA000-memory.dmpFilesize
616KB
-
memory/3864-12-0x00000000023F2000-0x00000000023F3000-memory.dmpFilesize
4KB
-
memory/3936-0-0x0000000000000000-mapping.dmp