General

  • Target

    proforma-565468.js

  • Size

    117KB

  • Sample

    220919-jsn1tsfaf5

  • MD5

    adcf65bb1e34b719258ca08dc0b8041f

  • SHA1

    391c14e68f715031dbff5d70872f92280bdba47f

  • SHA256

    a760f6d045295fd5795e26f029ede0eb40074dba7b5462f94e0b31fbdc399856

  • SHA512

    1fde146f5bb8f1a38b3e4486b5b2510b233363f37193ee64d853bf152c6b6cb18d4349c1b1110dae1a6fbad0bd998cd6d64d0b62be3135c1fc175d7dc7405f91

  • SSDEEP

    3072:Xwvo83p4aVZ8QXRoxt1uIlQ/LHXRRWKN8DRYEFaJsxinoam:Xwvo83+WYr1u6+LBV8DRf4vLm

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5413418879:AAGAIPfyTA90xoGpfgmho11YwulQ18wfiak/sendMessage?chat_id=1351581537

Targets

    • Target

      proforma-565468.js

    • Size

      117KB

    • MD5

      adcf65bb1e34b719258ca08dc0b8041f

    • SHA1

      391c14e68f715031dbff5d70872f92280bdba47f

    • SHA256

      a760f6d045295fd5795e26f029ede0eb40074dba7b5462f94e0b31fbdc399856

    • SHA512

      1fde146f5bb8f1a38b3e4486b5b2510b233363f37193ee64d853bf152c6b6cb18d4349c1b1110dae1a6fbad0bd998cd6d64d0b62be3135c1fc175d7dc7405f91

    • SSDEEP

      3072:Xwvo83p4aVZ8QXRoxt1uIlQ/LHXRRWKN8DRYEFaJsxinoam:Xwvo83+WYr1u6+LBV8DRf4vLm

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks