Analysis
-
max time kernel
143s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2023 12:23
Static task
static1
Behavioral task
behavioral1
Sample
jollykeys2.1.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
jollykeys2.1.exe
Resource
win10v2004-20230621-en
General
-
Target
jollykeys2.1.exe
-
Size
290KB
-
MD5
f35c9fa6756cbc5e791367d675cd5791
-
SHA1
5c1b25e3eb653e39dff6969ac64b24ebca2646a5
-
SHA256
b1f7c395aa293abc666ae5548a3d36c683e24917c190bef16f1d11add0cf5fea
-
SHA512
199d431ad076528b39d1c37d2bc5cd505de4bf5cf5e953a5075a419fc70c221e897c4e3a4ce389bd2e08e93add10a5979432573cde420adbd8f2aea7267a2797
-
SSDEEP
6144:3Ya6U3Pc/eEvhW0ZPmRlfwL8FUq+snr9PAM20OAURe7pfI:3Yi0GEvh0R5BbhBP20OAU4+
Malware Config
Extracted
netwire
rabusk.duckdns.org:1992
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Common
-
lock_executable
false
-
offline_keylogger
false
-
password
golddigger
-
registry_autorun
false
-
use_mutex
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4352 yltpnlljea.exe 852 yltpnlljea.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngmpnjgwgdgcsg = "C:\\Users\\Admin\\AppData\\Roaming\\mkymydmx\\riwagraq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\yltpnlljea.exe\" C:\\Users\\Admin\\AppData\\Loc" yltpnlljea.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4352 set thread context of 852 4352 yltpnlljea.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4352 yltpnlljea.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4276 wrote to memory of 4352 4276 jollykeys2.1.exe 83 PID 4276 wrote to memory of 4352 4276 jollykeys2.1.exe 83 PID 4276 wrote to memory of 4352 4276 jollykeys2.1.exe 83 PID 4352 wrote to memory of 852 4352 yltpnlljea.exe 84 PID 4352 wrote to memory of 852 4352 yltpnlljea.exe 84 PID 4352 wrote to memory of 852 4352 yltpnlljea.exe 84 PID 4352 wrote to memory of 852 4352 yltpnlljea.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe"C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe"C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe" C:\Users\Admin\AppData\Local\Temp\odjijv.tbg2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe"C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe"3⤵
- Executes dropped EXE
PID:852
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD5e0c57b8c9ba09a4b0aa65afbd11e469c
SHA1a5dfa5d1c90b2d156141efd38d5eaae5bc0b9a48
SHA256f5c8430f51e5ef9dabaaa9a5d2d639acb80b2ce73f0be70525422359a77ff290
SHA512ae6656a90e499f155decb22309c682be7ee65d1c26db60429c6f20a7badcc16538fa052118f647a81f9a54b31dc0cc88d337cb06be31ea466369bd04600b1078
-
Filesize
7KB
MD5ea332bbdc840616772e64f9dfc9b7dbb
SHA1d725c525fe778650f6c2b2908a6516e9f1d52c4d
SHA256170e624f2595fc1d23c974c8694fb2fe32ca6247296aabfedfc5ed5ac7805821
SHA51276d7ea129e09a5a93f025f16455b5fb694b59872b79f74c5f3d3216eb473083092b58ba0fef801cac0059844bf4f924db5876ad5bf05aaf4c514f72f0f8eb655
-
Filesize
75KB
MD5d4f3b16f83bcfbfa9627a4342adce47c
SHA14950e83f0a121c4ffc429ff6e19642fed810053c
SHA2563f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4
-
Filesize
75KB
MD5d4f3b16f83bcfbfa9627a4342adce47c
SHA14950e83f0a121c4ffc429ff6e19642fed810053c
SHA2563f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4
-
Filesize
75KB
MD5d4f3b16f83bcfbfa9627a4342adce47c
SHA14950e83f0a121c4ffc429ff6e19642fed810053c
SHA2563f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4