Overview

overview

10

Static

static

Purchase Order.js

windows7_x64

10

Purchase Order.js

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-06-2022 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order.js

  • Size

    543KB

  • MD5

    7455e47fd3e5f66fc5b6e1807ea0b568

  • SHA1

    f4b3b59f3bc167f56fcf252f725a2b27d40a9de6

  • SHA256

    5ca1451c5426fb3bb6e4394f5e52ee6651683e78aba996da2afd7c4077c8bd9b

  • SHA512

    8488b277dcac7f1e3cc40b3fe292cf07bdbe441ea695afef5d594442bb6529eee40236b977e739613fd993a03d51038328dbe10dfb1958fe0586491f1209bda3

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5391573401:AAGU5n0aN7puxUq5oVT1MVi83gk5owTXei0/sendMessage?chat_id=1962160861

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 15 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FuJoSGMkge.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4728
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Tamba.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
        "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:5008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Tamba.vbs
    Filesize

    251KB

    MD5

    4eb2e71f5af75446efae80ee4457ac16

    SHA1

    22f002cee2b80eef7a4fbe5daa596a6eca5056a2

    SHA256

    82c959dc9c7960278bf6094af37d6fff0387602769202afd496c97835c91c8af

    SHA512

    b1fb12b37ebef5b5955bc932b8bc5f3428d64f8278056a4f4a6569ac2d1716fa0498b69536623914a1d8a3591dc5cf374501c1eff94095975abfaad73d01c984

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    125KB

    MD5

    8855fe5a81d674f17f378896eb0effc1

    SHA1

    e27c1b5b9f21501cd889c960b16c0951f3204aca

    SHA256

    f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4

    SHA512

    c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    125KB

    MD5

    8855fe5a81d674f17f378896eb0effc1

    SHA1

    e27c1b5b9f21501cd889c960b16c0951f3204aca

    SHA256

    f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4

    SHA512

    c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FuJoSGMkge.js
    Filesize

    35KB

    MD5

    afe01f4709bcc51afd50354eaeb32a15

    SHA1

    4bdc7ccc0337f68c7a74661c774f9a2fd4c3a19e

    SHA256

    bd47423ced848fab516ff3d230d35a82a82b17d748bd489e1f25e587e90bbb92

    SHA512

    4d810584b54860361c201327a276d8734fbfcebe64ee42b083b8819067093f25a64aa85991a86b5957496b58b68271a22f12bdd3c11f01b05e11229b08f5417f

    Download Submit

  • memory/2440-131-0x0000000000000000-mapping.dmp

    Download

  • memory/4728-130-0x0000000000000000-mapping.dmp

    Download

  • memory/5008-134-0x0000000000000000-mapping.dmp

    Download

  • memory/5008-137-0x0000000000970000-0x0000000000994000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5008-138-0x0000000005A10000-0x0000000005FB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5008-139-0x0000000005330000-0x00000000053CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5008-140-0x00000000067C0000-0x0000000006982000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5008-141-0x0000000006990000-0x0000000006A22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5008-142-0x0000000006740000-0x000000000674A000-memory.dmp

    Filesize

    40KB

    Download