Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2023, 08:47
Static task
static1
Behavioral task
behavioral1
Sample
Gjvdnpikd.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Gjvdnpikd.exe
Resource
win10v2004-20230703-en
General
-
Target
Gjvdnpikd.exe
-
Size
10KB
-
MD5
f7707dc68ef0113a7089fcbfb241f6b4
-
SHA1
bb82cb1fe49e8e699f2bc7a9eaa56d959f1e9c0a
-
SHA256
c9ab09547338e5fabc9a5389c098597734e14e00da6f455d106c813177fce35e
-
SHA512
dcba265d599a693c9a5546db4a9fd57f3c42e94dc8f7fed7f8f7c17d371fafec2bd6e0c875b80acd727cd14c96707f6403fb9226553c5ff66576f5428e34ec72
-
SSDEEP
192:n4TPB64dwfHjA7MdRhrN47cZnSD4cli/dq:42fM7MdR8AVSLlil
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6131487156:AAFzpoRUv23HSoE57FgrwPQiVuiha1F8Pcs/sendMessage?chat_id=6373691592
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/1776-1220-0x0000000140000000-0x0000000140022000-memory.dmp family_snakekeylogger -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eeeeeee = "C:\\Users\\Admin\\AppData\\Roaming\\eeeeeee.exe" Gjvdnpikd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2828 set thread context of 1776 2828 Gjvdnpikd.exe 96 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1776 MSBuild.exe 1776 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2828 Gjvdnpikd.exe Token: SeDebugPrivilege 1776 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2828 wrote to memory of 1776 2828 Gjvdnpikd.exe 96 PID 2828 wrote to memory of 1776 2828 Gjvdnpikd.exe 96 PID 2828 wrote to memory of 1776 2828 Gjvdnpikd.exe 96 PID 2828 wrote to memory of 1776 2828 Gjvdnpikd.exe 96 PID 2828 wrote to memory of 1776 2828 Gjvdnpikd.exe 96 PID 2828 wrote to memory of 1776 2828 Gjvdnpikd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gjvdnpikd.exe"C:\Users\Admin\AppData\Local\Temp\Gjvdnpikd.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-