Overview

overview

10

Static

static

AWB15062022.js

windows7_x64

10

AWB15062022.js

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB15062022.js

  • Size

    512KB

  • MD5

    7e151e208de35b5a41db278b3cf0c5b3

  • SHA1

    65f43e422b7eb98d7ec4ba37b259d05c1a2d8f4b

  • SHA256

    c5c7f846d0827315b9b120e873703cf986109ddffc986387fc66e32e6c0e5534

  • SHA512

    04b1d02fb14ec2c8011e4fc42e53cead12d6acddb8fb856b8367fa83ee5d3481898a26020255562133a37f8d7c6a232b20247b980f84310dbd105a23788d6dd4

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5391573401:AAGU5n0aN7puxUq5oVT1MVi83gk5owTXei0/sendMessage?chat_id=1962160861

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB15062022.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QKNyvYIQHA.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2200
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\AWB15062022.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
        "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AWB15062022.vbs
    Filesize

    251KB

    MD5

    4eb2e71f5af75446efae80ee4457ac16

    SHA1

    22f002cee2b80eef7a4fbe5daa596a6eca5056a2

    SHA256

    82c959dc9c7960278bf6094af37d6fff0387602769202afd496c97835c91c8af

    SHA512

    b1fb12b37ebef5b5955bc932b8bc5f3428d64f8278056a4f4a6569ac2d1716fa0498b69536623914a1d8a3591dc5cf374501c1eff94095975abfaad73d01c984

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    125KB

    MD5

    8855fe5a81d674f17f378896eb0effc1

    SHA1

    e27c1b5b9f21501cd889c960b16c0951f3204aca

    SHA256

    f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4

    SHA512

    c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    125KB

    MD5

    8855fe5a81d674f17f378896eb0effc1

    SHA1

    e27c1b5b9f21501cd889c960b16c0951f3204aca

    SHA256

    f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4

    SHA512

    c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39

    Download Submit
  • C:\Users\Admin\AppData\Roaming\QKNyvYIQHA.js
    Filesize

    24KB

    MD5

    7379d86ded0c9249110530cdb1d3a009

    SHA1

    bfb440be5ce783cf0666fa2e7261181a048f4204

    SHA256

    d2e1e531bf52550f5bf876ed5a87dbfaeb8a652c3fac0f8372bfbe9bd0bb9681

    SHA512

    69c350f81d6399d198a6d071153ec0187c492c541e3b9faa0b0e94dc748d74cede4deed08e9175d0eb77f9c22cee59d93d63d963411937fb1b7e50bd4fa9c762

    Download Submit
  • memory/2200-130-0x0000000000000000-mapping.dmp
    Download
  • memory/3024-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3024-137-0x00000000009F0000-0x0000000000A14000-memory.dmp
    Filesize

    144KB

    Download
  • memory/3024-138-0x00000000059D0000-0x0000000005F74000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3024-139-0x0000000005420000-0x00000000054BC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3024-140-0x0000000006840000-0x0000000006A02000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3024-141-0x0000000006A10000-0x0000000006AA2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3024-142-0x00000000067C0000-0x00000000067CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4672-131-0x0000000000000000-mapping.dmp
    Download