Overview

overview

10

Static

static

Documents ...sal.js

windows7_x64

10

Documents ...sal.js

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents for your perusal.js

  • Size

    290KB

  • MD5

    aea6c9f795a0d2d9b3c04607264089db

  • SHA1

    12a0f096bb384a03a948d81ac40bf8acc5a51549

  • SHA256

    b4c23e9ce7984024ba96876bdb1b68b13b41ca70f77efab5e157c8ce130edd39

  • SHA512

    83201ec2c617e24edaccd3c9cde0486187ca0880bbea8fba95974ef386275d52c33564571d3f231e6ea750be33bc60c12fac2f0a9927f613f9a09e4224625338

Score
10/10
snakekeyloggervjw0rmkeyloggerpersistencestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot5463029534:AAGQ1do_-JYjhQ1yKKugHhT9LGbrpA7291Y/sendMessage?chat_id=1604450602

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lqJNbTkidY.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1848
    • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
      "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1576
        3⤵
        • Program crash
        PID:5024
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2056 -ip 2056
    1⤵
      PID:1504

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
      Filesize

      126KB

      MD5

      af90c0480c35c4e2aeb47e16794da0ee

      SHA1

      916ce4839b204a9da2905ce4ac83c2cd04f983a0

      SHA256

      036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586

      SHA512

      aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
      Filesize

      126KB

      MD5

      af90c0480c35c4e2aeb47e16794da0ee

      SHA1

      916ce4839b204a9da2905ce4ac83c2cd04f983a0

      SHA256

      036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586

      SHA512

      aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\lqJNbTkidY.js
      Filesize

      24KB

      MD5

      acb8a6b6b7572ea81759a59fc9f3dfbd

      SHA1

      daf92ab556c9f9c19605c128ff16222fd77ac491

      SHA256

      e523e1d6b4f5480535791c7eed1764cc84b2ad631b396a834b21ab38680e6bf9

      SHA512

      96c85c9d0372b1817e81e4553cf40d43f8e393936e69f76f3a0d2fb7d85a1162e701f49f2a7f8e6b782ddff4be8b166cf4a3e305476ae96f42bcc81a8058422c

      Download Submit
    • memory/1848-130-0x0000000000000000-mapping.dmp
      Download
    • memory/2056-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2056-135-0x0000000000010000-0x0000000000036000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2056-136-0x0000000004F70000-0x0000000005514000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2056-137-0x0000000004A60000-0x0000000004AFC000-memory.dmp
      Filesize

      624KB

      Download