Overview

overview

10

Static

static

Documents ...sal.js

windows7_x64

10

Documents ...sal.js

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents for your perusal.js

  • Size

    290KB

  • MD5

    aea6c9f795a0d2d9b3c04607264089db

  • SHA1

    12a0f096bb384a03a948d81ac40bf8acc5a51549

  • SHA256

    b4c23e9ce7984024ba96876bdb1b68b13b41ca70f77efab5e157c8ce130edd39

  • SHA512

    83201ec2c617e24edaccd3c9cde0486187ca0880bbea8fba95974ef386275d52c33564571d3f231e6ea750be33bc60c12fac2f0a9927f613f9a09e4224625338

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot5463029534:AAGQ1do_-JYjhQ1yKKugHhT9LGbrpA7291Y/sendMessage?chat_id=1604450602

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 13 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lqJNbTkidY.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1616
    • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
      "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1248

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
    Filesize

    126KB

    MD5

    af90c0480c35c4e2aeb47e16794da0ee

    SHA1

    916ce4839b204a9da2905ce4ac83c2cd04f983a0

    SHA256

    036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586

    SHA512

    aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
    Filesize

    126KB

    MD5

    af90c0480c35c4e2aeb47e16794da0ee

    SHA1

    916ce4839b204a9da2905ce4ac83c2cd04f983a0

    SHA256

    036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586

    SHA512

    aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\lqJNbTkidY.js
    Filesize

    24KB

    MD5

    acb8a6b6b7572ea81759a59fc9f3dfbd

    SHA1

    daf92ab556c9f9c19605c128ff16222fd77ac491

    SHA256

    e523e1d6b4f5480535791c7eed1764cc84b2ad631b396a834b21ab38680e6bf9

    SHA512

    96c85c9d0372b1817e81e4553cf40d43f8e393936e69f76f3a0d2fb7d85a1162e701f49f2a7f8e6b782ddff4be8b166cf4a3e305476ae96f42bcc81a8058422c

    Download Submit
  • memory/1248-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1248-61-0x0000000000910000-0x0000000000936000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1248-62-0x0000000075191000-0x0000000075193000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1616-55-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp
    Filesize

    8KB

    Download