Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 16:12
Static task
static1
Behavioral task
behavioral1
Sample
nakit.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
nakit.exe
Resource
win10-en-20211104
General
-
Target
nakit.exe
-
Size
587KB
-
MD5
1c07bd7e68247568357448dc81d45e53
-
SHA1
88c96369e426a72d3043582115da7aa623b00e66
-
SHA256
ea11fa5c53db476858902d1ac3a763bf6da8e743b9dc3a508a203b18ffc2d9a5
-
SHA512
ffdb7e4dd2d67db9bb20ea5d2fd83d12c49feaa7a9ac49ef9c51c2971ce294e42c6db9ac4719b0007ec61f184c854d2004c88cd0d40078f49f6c9631e3ddd35a
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.egesucuklari.com.tr - Port:
587 - Username:
info@egesucuklari.com.tr - Password:
EgeTire1966
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
nakit.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nakit.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nakit.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nakit.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 checkip.dyndns.org 27 freegeoip.app 28 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nakit.exedescription pid process target process PID 3760 set thread context of 3428 3760 nakit.exe nakit.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
nakit.exepid process 3428 nakit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nakit.exedescription pid process Token: SeDebugPrivilege 3428 nakit.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
nakit.exedescription pid process target process PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe PID 3760 wrote to memory of 3428 3760 nakit.exe nakit.exe -
outlook_office_path 1 IoCs
Processes:
nakit.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nakit.exe -
outlook_win_path 1 IoCs
Processes:
nakit.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nakit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nakit.exe"C:\Users\Admin\AppData\Local\Temp\nakit.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nakit.exe"C:\Users\Admin\AppData\Local\Temp\nakit.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nakit.exe.logMD5
f1181bc4bdff57024c4121f645548332
SHA1d431ee3a3a5afcae2c4537b1d445054a0a95f6e6
SHA256f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad
SHA512cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3
-
memory/3428-128-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3428-136-0x0000000006140000-0x0000000006141000-memory.dmpFilesize
4KB
-
memory/3428-135-0x0000000004E20000-0x000000000531E000-memory.dmpFilesize
5.0MB
-
memory/3428-129-0x000000000042044E-mapping.dmp
-
memory/3760-122-0x0000000005780000-0x0000000005C7E000-memory.dmpFilesize
5.0MB
-
memory/3760-125-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/3760-126-0x0000000006520000-0x0000000006521000-memory.dmpFilesize
4KB
-
memory/3760-127-0x00000000066C0000-0x000000000673B000-memory.dmpFilesize
492KB
-
memory/3760-124-0x0000000005760000-0x0000000005768000-memory.dmpFilesize
32KB
-
memory/3760-123-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/3760-118-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/3760-121-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3760-120-0x0000000005C80000-0x0000000005C81000-memory.dmpFilesize
4KB