jks.exe

Tags

Signatures

• Azorult

  Description

  An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  Tags

  trojaninfostealerazorult

• IcedID, BokBot

  Description

  IcedID is a banking trojan capable of stealing credentials.

  Tags

  trojanbankericedid

• Modifies Windows Defender Real-time Protection settings

  Tags

  evasiontrojan

  TTPs

  Modify RegistryModify Existing ServiceDisabling Security Tools

• Process spawned unexpected child process

  Description

  This typically indicates the parent process was compromised via an exploit or macro.

• Raccoon

  Description

  Simple but powerful infostealer which was very active in 2019.

  Tags

  stealerraccoon

• RedLine

  Description

  RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  Tags

  infostealerredline

• RedLine Payload

• Socelars

  Description

  Socelars is an infostealer targeting browser cookies and credit card credentials.

  Tags

  stealersocelars

• Socelars Payload

• Suspicious use of NtCreateProcessExOtherParentProcess

• Vidar

  Description

  Vidar is an infostealer based on Arkei stealer.

  Tags

  stealervidar

• xmrig

  Description

  XMRig is a high performance, open source, cross platform CPU/GPU miner.

  Tags

  minerxmrig

• Checks for common network interception software

  Description

  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  Tags

  evasion

  TTPs

• Identifies VirtualBox via ACPI registry values (likely anti-VM)

  Tags

  evasion

  TTPs

  Query RegistryVirtualization/Sandbox Evasion

• Vidar Stealer

  Tags

  stealer

• ASPack v2.12-2.42

  Description

  Detects executables packed with ASPack v2.12-2.42

  Tags

  aspackv2

• Blocklisted process makes network request

• Downloads MZ/PE file

• Drops file in Drivers directory

• Executes dropped EXE

• Modifies Windows Firewall

  Tags

  evasion

  TTPs

  Modify Existing Service

• Checks BIOS information in registry

  Description

  BIOS information is often read in order to detect sandboxing environments.

  TTPs

  Query RegistrySystem Information Discovery

• Checks computer location settings

  Description

  Looks up country code configured in the registry, likely geofence.

  TTPs

  Query RegistrySystem Information Discovery

• Loads dropped DLL

• Reads user/profile data of web browsers

  Description

  Infostealers often target stored browser data, which can include saved credentials etc.

  Tags

  spywarestealer

  TTPs

  Data from Local SystemCredentials in Files

• Accesses 2FA software files, possible credential harvesting

  Tags

  spywarestealer

  TTPs

  Data from Local SystemCredentials in Files

• Accesses cryptocurrency files/wallets, possible credential harvesting

  Tags

  spyware

  TTPs

  Data from Local SystemCredentials in Files

• Adds Run key to start application

  Tags

  persistence

  TTPs

  Registry Run Keys / Startup FolderModify Registry

• Checks for any installed AV software in registry

  TTPs

  Security Software Discovery

• Checks installed software on the system

  Description

  Looks up Uninstall key entries in the registry to enumerate software on the system.

  Tags

  discovery

  TTPs

  Query Registry

• Checks whether UAC is enabled

  Tags

  evasiontrojan

  TTPs

  System Information Discovery

• Enumerates connected drives

  Description

  Attempts to read the root path of hard drives other than the default C: drive.

  TTPs

  Query RegistryPeripheral Device DiscoverySystem Information Discovery

• Legitimate hosting services abused for malware hosting/C2

  TTPs

  Web Service

• Looks up external IP address via web service

  Description

  Uses a legitimate IP lookup service to find the infected system's external IP.

• Drops file in System32 directory

• Suspicious use of NtSetInformationThreadHideFromDebugger

• Suspicious use of SetThreadContext

Related Tasks