Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10-10-2023 21:46
Static task
static1
Behavioral task
behavioral1
Sample
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe
-
Size
304KB
-
MD5
018ccb52b75e10cd4a45aa22aa7b2342
-
SHA1
7f0033b4a3958e14d1959555bbfbd58e667d460b
-
SHA256
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4
-
SHA512
13497efa83635329a0381f5e447bd47bd29bf7d1634c3909cb0537148d54e348c1455faa6b0246365d165eb1626a65a21acd410d70309ba40bfd6f73ef4c1e8f
-
SSDEEP
6144:hnPdudwDvX6XTt3LWygobl2qgZbyWI2ku6nQ+i1ic3OYBsXA7L:hnPdj6ZKygjq0IZnK1wYMy
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-11-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1708-15-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1708-16-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1708-18-0x0000000000940000-0x0000000000980000-memory.dmp family_snakekeylogger behavioral1/memory/1708-19-0x00000000003D0000-0x00000000003F4000-memory.dmp family_snakekeylogger behavioral1/memory/1708-20-0x0000000000940000-0x0000000000980000-memory.dmp family_snakekeylogger behavioral1/memory/1708-21-0x0000000000940000-0x0000000000980000-memory.dmp family_snakekeylogger behavioral1/memory/1708-23-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
rjxul.exerjxul.exepid process 2696 rjxul.exe 1708 rjxul.exe -
Loads dropped DLL 2 IoCs
Processes:
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exerjxul.exepid process 2420 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe 2696 rjxul.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rjxul.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rjxul.exe Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rjxul.exe Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rjxul.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rjxul.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\ooxhhclluq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\ppyueenjjs.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rjxul.exe\" " rjxul.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rjxul.exedescription pid process target process PID 2696 set thread context of 1708 2696 rjxul.exe rjxul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rjxul.exepid process 1708 rjxul.exe 1708 rjxul.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rjxul.exepid process 2696 rjxul.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rjxul.exedescription pid process Token: SeDebugPrivilege 1708 rjxul.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exerjxul.exedescription pid process target process PID 2420 wrote to memory of 2696 2420 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe rjxul.exe PID 2420 wrote to memory of 2696 2420 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe rjxul.exe PID 2420 wrote to memory of 2696 2420 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe rjxul.exe PID 2420 wrote to memory of 2696 2420 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe rjxul.exe PID 2696 wrote to memory of 1708 2696 rjxul.exe rjxul.exe PID 2696 wrote to memory of 1708 2696 rjxul.exe rjxul.exe PID 2696 wrote to memory of 1708 2696 rjxul.exe rjxul.exe PID 2696 wrote to memory of 1708 2696 rjxul.exe rjxul.exe PID 2696 wrote to memory of 1708 2696 rjxul.exe rjxul.exe -
outlook_office_path 1 IoCs
Processes:
rjxul.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rjxul.exe -
outlook_win_path 1 IoCs
Processes:
rjxul.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rjxul.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe"C:\Users\Admin\AppData\Local\Temp\085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\rjxul.exe"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\rjxul.exe"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD57d27db2a5bfe2a656deb5c058c11e895
SHA1a984084e6c172afe7e74e1aad336da5e18d1f6ca
SHA25618a3419e49235789b45d28cd7c237f0ed01b951d59be06d69be7b2885b39df3e
SHA512a2faaf0c5f76a36c46cfd4b044d01d6310d30bdd34ec87737efd3612461df2356a641b296abfb04b8f1a734a1269cc66fe01fc5c04ad7ec943cf034ce6e39526
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401