Overview

overview

10

Static

static

PO2491039385.js

windows7_x64

10

PO2491039385.js

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    14-12-2021 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO2491039385.js

  • Size

    536KB

  • MD5

    e09294b9ca51300793673da85e23fa34

  • SHA1

    46715b9d35152983bd452eb6bf65c588b36a7ab1

  • SHA256

    915ed58984f946bee7b46fd8d6a4cc81e4d7edbd6f2c52a7d0f0f0945140d23b

  • SHA512

    9d5c7dcb626c7cdb9ab7bab3d73d144b8494aac1561b2b83237007486f03404bb73e539b6847fa1ec12a04e8c5448eaaa346c4d3137b2614416a95337ca081b4

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    success21

Extracted

Family

vjw0rm

C2

http://myroyailrubin2019.duia.ro:7974

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 2 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PO2491039385.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uRyLhONQMx.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:524
    • C:\Users\Admin\AppData\Local\Temp\newv6.exe
      "C:\Users\Admin\AppData\Local\Temp\newv6.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\newv6.exe
    MD5

    3f8ba3a594b42de92457cb6cf140849c

    SHA1

    c32f9fefb03d2cb5cd47c5a8b992255313c0a864

    SHA256

    6fc2cda350ed361c877fe0d05b67254e24129f3e5ad158ead1f6ab8c7c3e8897

    SHA512

    9b9d34817614a1ac7b2aad8b356dc0308f9f4639e0a1dbeac46e856d2a7a4d98e2adf1423d9846472a13d513620b21788a4082faeb00dbca45b680ace401983f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\newv6.exe
    MD5

    3f8ba3a594b42de92457cb6cf140849c

    SHA1

    c32f9fefb03d2cb5cd47c5a8b992255313c0a864

    SHA256

    6fc2cda350ed361c877fe0d05b67254e24129f3e5ad158ead1f6ab8c7c3e8897

    SHA512

    9b9d34817614a1ac7b2aad8b356dc0308f9f4639e0a1dbeac46e856d2a7a4d98e2adf1423d9846472a13d513620b21788a4082faeb00dbca45b680ace401983f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\uRyLhONQMx.js
    MD5

    231e48b2a15b610eb96c574fb3584531

    SHA1

    5249109df277e52ab753d86a7f66caa64190a8a0

    SHA256

    4a626ec97945e8fa02815b7faa4d78ed6e6f51934e71623917490672e5892be7

    SHA512

    b2e58561307176a61d2c9a5ceb8f335198a09ac02597bde7436b4bb803234364403c654aa9c335bd1044534ba23f236705a708d2b6726af5b0addf4ccb8fbb5f

    Download Submit
  • memory/524-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-55-0x000007FEFC031000-0x000007FEFC033000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1972-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1972-61-0x0000000001060000-0x0000000001061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1972-63-0x0000000004D90000-0x0000000004D91000-memory.dmp
    Filesize

    4KB

    Download