General
-
Target
ORDER SPECIFICATIONS.js
-
Size
13KB
-
Sample
220627-jb73dabee6
-
MD5
5172ae9728cf8fb9710831dfc025d550
-
SHA1
935e844e4df5ee8f2278fb4dec87697bba026af0
-
SHA256
fcc02541670447bb776ede3006c4e76673d9aff32b43cb1aac84be7fabb22e1b
-
SHA512
9426c6f8786a0be2b708199059ddcc7c63e8fb0c4fdd70e53bd11e1e227101367b561216fedea28ac67fe714ab8e096c00cb4f241f6d72a3030a0363fad1eff7
Static task
static1
Behavioral task
behavioral1
Sample
ORDER SPECIFICATIONS.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ORDER SPECIFICATIONS.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
amanis.xyz - Port:
587 - Username:
makuku@amanis.xyz - Password:
uew393Sk#@ - Email To:
mykolone19@gmail.com
https://api.telegram.org/bot5196556125:AAHaAuii90DPE7rLAfYKDWEY1kyq32xbZU8/sendMessage?chat_id=1065258767
Targets
-
-
Target
ORDER SPECIFICATIONS.js
-
Size
13KB
-
MD5
5172ae9728cf8fb9710831dfc025d550
-
SHA1
935e844e4df5ee8f2278fb4dec87697bba026af0
-
SHA256
fcc02541670447bb776ede3006c4e76673d9aff32b43cb1aac84be7fabb22e1b
-
SHA512
9426c6f8786a0be2b708199059ddcc7c63e8fb0c4fdd70e53bd11e1e227101367b561216fedea28ac67fe714ab8e096c00cb4f241f6d72a3030a0363fad1eff7
-
Snake Keylogger Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-