Overview

overview

10

Static

static

AWB15062022.js

windows7_x64

10

AWB15062022.js

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB15062022.js

  • Size

    512KB

  • MD5

    7e151e208de35b5a41db278b3cf0c5b3

  • SHA1

    65f43e422b7eb98d7ec4ba37b259d05c1a2d8f4b

  • SHA256

    c5c7f846d0827315b9b120e873703cf986109ddffc986387fc66e32e6c0e5534

  • SHA512

    04b1d02fb14ec2c8011e4fc42e53cead12d6acddb8fb856b8367fa83ee5d3481898a26020255562133a37f8d7c6a232b20247b980f84310dbd105a23788d6dd4

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5391573401:AAGU5n0aN7puxUq5oVT1MVi83gk5owTXei0/sendMessage?chat_id=1962160861

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 15 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB15062022.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QKNyvYIQHA.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:940
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\AWB15062022.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
        "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1800

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AWB15062022.vbs
    Filesize

    251KB

    MD5

    4eb2e71f5af75446efae80ee4457ac16

    SHA1

    22f002cee2b80eef7a4fbe5daa596a6eca5056a2

    SHA256

    82c959dc9c7960278bf6094af37d6fff0387602769202afd496c97835c91c8af

    SHA512

    b1fb12b37ebef5b5955bc932b8bc5f3428d64f8278056a4f4a6569ac2d1716fa0498b69536623914a1d8a3591dc5cf374501c1eff94095975abfaad73d01c984

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    125KB

    MD5

    8855fe5a81d674f17f378896eb0effc1

    SHA1

    e27c1b5b9f21501cd889c960b16c0951f3204aca

    SHA256

    f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4

    SHA512

    c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    125KB

    MD5

    8855fe5a81d674f17f378896eb0effc1

    SHA1

    e27c1b5b9f21501cd889c960b16c0951f3204aca

    SHA256

    f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4

    SHA512

    c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39

    Download Submit
  • C:\Users\Admin\AppData\Roaming\QKNyvYIQHA.js
    Filesize

    24KB

    MD5

    7379d86ded0c9249110530cdb1d3a009

    SHA1

    bfb440be5ce783cf0666fa2e7261181a048f4204

    SHA256

    d2e1e531bf52550f5bf876ed5a87dbfaeb8a652c3fac0f8372bfbe9bd0bb9681

    SHA512

    69c350f81d6399d198a6d071153ec0187c492c541e3b9faa0b0e94dc748d74cede4deed08e9175d0eb77f9c22cee59d93d63d963411937fb1b7e50bd4fa9c762

    Download Submit
  • memory/940-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1052-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-54-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1800-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1800-64-0x0000000000AB0000-0x0000000000AD4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1800-65-0x0000000075271000-0x0000000075273000-memory.dmp
    Filesize

    8KB

    Download