Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
03-10-2023 13:58
General
-
Target
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe
-
Size
731KB
-
MD5
3024f8b8500d2629b5d934d0ef334efb
-
SHA1
d2013e0488e50fe9039986129e46725c2353e0a7
-
SHA256
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
-
SHA512
b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
SSDEEP
12288:JqH3dU+ta6byR6WYlvZja6+hpKo8sRexHyoRwMt7zANdi:etU+YxYtARN6wUK0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe"C:\Users\Admin\AppData\Local\Temp\12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD115.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD55c747c374fb8163c768e2d1e9f8d0bb5
SHA15b7dcf4f002ce0cafc0f1c8d819447a973231d5b
SHA2564998566f9222f389addee90929c9711241447f4cb600e3bdbb979fbbf6d1e280
SHA512eda242939cda58be07e457668325a6823c5312d88e677aa570793c5f78084f1f26d2611af4961771f06a677041a03320d2a6ce6e575d52a2faac55721f476423
-
Filesize
344B
MD5dea857cd35ed7911faf2eb1f3a435bca
SHA16654d89663c05056bf31442343083421c7a6ad21
SHA25642b3eef6605dd496bc0c3a554988bd66a17a9b89365a69e54090a168f26d14a8
SHA51201fa36ef9258cd7bedefa9dc5125811056a658e132c80ea1ed0ff7f45e28d8ff68f19fe642286d5ec3ba9fcc205a1536c8c2320af3f804b53c5b98ba02d8b473
-
Filesize
344B
MD5f7849a09418f04432c15bfd27c01ebe7
SHA1b5dc444daac2e5e682e67474680296ca114b3c69
SHA2563e3204ff0b228cb5e70c1db14b7c06b1e4cad1a8e4ed2dfe271bdaf35bafc0c2
SHA5125af31fff82956ad4e189af64ae8aa331ec8b8acad310d4780f4a79a1182c1038800176492eea11d255f5f3339eb8fda08d1387805590e103a910991402947cfe
-
Filesize
344B
MD5d0d2cd691b66e3e197c2fd8f29952b76
SHA1848625ae94f6d99c4f366682832f3b0038ec0824
SHA2567f89528199fe2db735392c8470a5f9da6693c5be4151c386f13ac2b9063de30c
SHA5128b64b921ed9f84d657998df037dc5b112dcd3f19f756210bb0ff8968365e1987c3e338e103639893dd1b852baae3b4e0bb0098e06b8f867fc0ab1153c1c4c43c
-
Filesize
344B
MD5dd90c099961d20ebbc5a2f566564571b
SHA16f793c4854816aa32c185b186ee57e6ae5c9eb88
SHA256b4c166c53e695b788bcd7183dc7222a0de685c586956d7a1d209559d63dc0b68
SHA512d8747961c5d96690ab7c9afb9ab432f80262544e142a39dbc5f73c9faff93cf7e39fa1ec049ea9b6f6c0c061ffdfb6edab4f9e121feb14d6b62efa7ca0d6a2ac
-
Filesize
344B
MD54859abd36dab096c32ab4f52c363744a
SHA1f7829292a3040d354dc73e0119cd0882f5835490
SHA256de30a2ec9816de301b8f020fbfd8f208322df94d903a3195051c8df7afdd2c6f
SHA5128017dcb2f8187a6efaaf27630082fa6528eea3a57f2805d2cfeafc710c916064dfb1e3c22e72b25e3f7be5b79cc502c54a6aa0e27474381a9eab7b462851f510
-
Filesize
344B
MD5d1af783e54a8e5c3311928ba4845b675
SHA1b35d22059f31ce60aba07f89fa265a6f4ce7948a
SHA256d632d38e73696aed302884fbcb411507e3e715303e70e3522fc4788dd2aa61be
SHA5129625aa81015150f93295f7d7c81acf750e9ba61b8dfdb85957579ea3be7af2a268c7532d10a18221507161afbe5414914450f73fc4c5b9cc794a79df29e8d438
-
Filesize
344B
MD5d416805791ee5cf6fcf5314ceb4757a5
SHA1ea2bdf352b33fc4a7884f4db89e5e3e4ad1d7b7e
SHA25648cc5c805f6cbcd830298fa45b9ec3b8cd60961ad6f9ac63f3866f518a24bedc
SHA512d19a930cd93eadd655742efca1bfa841da426d3f39f975b4650eae8de2e9d55f6dfd57e55322787647e3a7afec56992923d98f2e62493171441bb5e13dd1e63c
-
Filesize
344B
MD5bc071a650121c94c14fa3ce8cbf15dde
SHA12319823c8a524d4bc55be752cb2e3c9177cdb152
SHA256e367c153279b09cc8054b8899a86ccc91060374ab657f858e02ec221be1abecb
SHA512e453fe3c03b0e5c7795ad79b99752e79f4d61addeac9c283f76c9c84d0d800d9ff173e62a514e9921a5702256a767647cd879043bc8486d7dbff9a9805a0c305
-
Filesize
344B
MD5d90ca5321433fda699f1ad436fc992b4
SHA17bd34d0e9d97df2d8f274f1a4a62f30bfb44bbc1
SHA256e28b49e45422dd185d2476e64faed3c2cbdcb886a56b42c614e911dec3956983
SHA5129602868bc76aa870724dbfa8418c43d0fbc220f80a5b6687e7ea27ac48a8f4557f7515bed1f6538c4996498ffa9e5672cca753ffa7dd14a7df6478b3760e5e9a
-
Filesize
344B
MD5a43b1e5d144459bb0ccad76b68f7f3ef
SHA1740306bac8460b90c0756b7e37f0d7243b2189e0
SHA2563b8b4138c5ff0c080b923ca9b8c7f23cd0b3415ec9167ddae3d19ea6d60922b0
SHA5120f812cb81fe16862ed2724466aa0ca306865c82eeda2e0eb6f10e0ba05f32698e6767e34b222c36741644ed70f18730c7a0e68e3fe42e22c4fc3f2b2ecef4bf9
-
Filesize
344B
MD51943902473a3b882e48f29e6b1c30546
SHA1f01f073d3c007c1f7dd7aaa912b8f07425becde5
SHA256005ad0a3910a49ef610bfe1100e5f7f6b2e7b5a960c02a9c7ae5853536d9917b
SHA5120c3bfa535be0bde67bad176e9be64735f725e93fedc4bb1c16aaaea52ee382e7f5e742c3eb9c9600602c64e9647af3768fac74ca1deb00c79bc1fe71e544db86
-
Filesize
344B
MD59de7ce2fc209e130a3f76004d5995318
SHA192b79846d697e43fe0059eeb8f4a4d5fe2a0a1d1
SHA2565d45b07219048916ed116b4a24da756976bb15ea58ac6f21eb20d228cafd385d
SHA51246cccb369ec3c17083f7cb509ac05208cfe44cc396e955a431b5481f2a58717260824dbbad774354a5dc3c32cd9e2b1c03acac4d8e65ce38ac9672fb6a0d171e
-
Filesize
344B
MD5a9ebc730d6a66a8f3e615dd1cb2ce473
SHA18fdcfe503383f81c21f22793c42c13bb7d0b32bf
SHA2561abf1297f3f0f3af1233e349534b57e915207af527854b77f6af8e3618bf784f
SHA512e0c1ea720bb5e0a2e52bb727aa99075cbea01c7f2446ee47cbb896ca6a8a1c8bda89d2d18afb2d6de352262024ef8bc6562aee8cab53dec933f3a8a6092f23f7
-
Filesize
344B
MD5b9004441f2bb520c03bbcda4ffe958d5
SHA1607db60d71518a3dda7b1c495ee04648013edd16
SHA256761348c91c75e5babe96d26c9344fec06afbc2069e7457ea1f4cb6aca10d1c6a
SHA512bc6b379d7e10071653315e81b80d3be6ceb7276e6548510e87ecf172ef3f60bd4b7992a2409e5dcdfa478a1ea8c0b522f1a5af08e2abf1697e94e2527ce14df9
-
Filesize
344B
MD537c9b7a461879a23971d8368fc52831f
SHA1cd3a197e062e8fdf1766ea6947b3ca518a16f5af
SHA2566888f5df0d997c8b7bd7e380e67329635dcdfa84547ee5b0230176c38ac4223e
SHA5123b45284c6a6561a701efebb70512962fdbd2d60c498faf213f379ba56c54397b086b7380b6da71fbc9c71c527db6c71a027cb5f2b66c837eaf59fcd348a18a54
-
Filesize
344B
MD5605a11a3c41c933509333e0df1e84082
SHA1ecbff21f565cb8b1d59e671d7e9b6c2a06701429
SHA256d9f93daa2d9b40d3642a1ccf083f5b2cc882444955d2629d9f0de41c2e6d5018
SHA512cf49739c8c460c881fe938dc24ea3bd982598c20184b002e6659b25a5db762191624da6fda56ba29398559e38efae55419017a59d6bd000e99dae1a004762199
-
Filesize
344B
MD5bf7b06cbafd91d2ff5e9aff97b90dd0e
SHA13412d7ca293917f3860f1a7e65520b66489a0fd1
SHA25686e1787a74664e4fa9a67e7f5e6b83e290b006193b0892f5ae7c74fb92ea874e
SHA512fc7891f90dc41d1eef48e81a10c2d848d8dd57e7e0833b5d1749277d5ae77a82892a94f6fc9d50dc34ab61f5917c0d22055890693877d2088b8809046ca75d89
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
151B
MD506958f9a52f43dab2037d787f901e5f1
SHA1543de07beecdce3b6bc4ab8b9a3a7c9c37a30c99
SHA2563d825857ca2448975484bcc6e3497b38c32251b06160fb10f9ad010ecc543aee
SHA51250021a6d0c8772fc8ed89aab18d00613eef835373bfe668d4d50a04a05e1eae1812ceb8d557a21b55854b32822af6e7d037410723d2bb3a5481d8e1bad054e85
-
Filesize
151B
MD506958f9a52f43dab2037d787f901e5f1
SHA1543de07beecdce3b6bc4ab8b9a3a7c9c37a30c99
SHA2563d825857ca2448975484bcc6e3497b38c32251b06160fb10f9ad010ecc543aee
SHA51250021a6d0c8772fc8ed89aab18d00613eef835373bfe668d4d50a04a05e1eae1812ceb8d557a21b55854b32822af6e7d037410723d2bb3a5481d8e1bad054e85
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
328KB
-
Filesize
256KB
-
Filesize
752KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
752KB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
328KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB