Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23-10-2023 18:34
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe
-
Size
328KB
-
MD5
ff81a14b73d0578f174ac77fda9afd59
-
SHA1
d6a94b13cd5bbc2bf9c611ef22420dc3310535f9
-
SHA256
d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0
-
SHA512
be966461531bd09f896357357bc5345dfc9d6237ab578a3c866e308b749410530bdef06a1fe4de81736149e2e381924954a534b86a23075f7962fc725c0d3426
-
SSDEEP
6144:UnPdudwD/EVDiMyfb+hYffxzElzvWVI9SrSLi1pS8Jqzrbh77f9U+:UnPdLbnb+OffpTI9xOqzJ39R
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-11-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1996-14-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1996-16-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1996-19-0x0000000001EE0000-0x0000000001F20000-memory.dmp family_snakekeylogger behavioral1/memory/1996-17-0x00000000002A0000-0x00000000002C4000-memory.dmp family_snakekeylogger behavioral1/memory/1996-22-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
ljkycg.exeljkycg.exepid process 1528 ljkycg.exe 1996 ljkycg.exe -
Loads dropped DLL 2 IoCs
Processes:
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exeljkycg.exepid process 2872 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe 1528 ljkycg.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ljkycg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\yyueenjjsoxxhc = "C:\\Users\\Admin\\AppData\\Roaming\\uqaajffoxxtdd\\xhhqmvvfbbkggp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ljkycg.exe\" " ljkycg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ljkycg.exedescription pid process target process PID 1528 set thread context of 1996 1528 ljkycg.exe ljkycg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ljkycg.exepid process 1996 ljkycg.exe 1996 ljkycg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ljkycg.exepid process 1528 ljkycg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ljkycg.exedescription pid process Token: SeDebugPrivilege 1996 ljkycg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exeljkycg.exedescription pid process target process PID 2872 wrote to memory of 1528 2872 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe ljkycg.exe PID 2872 wrote to memory of 1528 2872 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe ljkycg.exe PID 2872 wrote to memory of 1528 2872 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe ljkycg.exe PID 2872 wrote to memory of 1528 2872 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe ljkycg.exe PID 1528 wrote to memory of 1996 1528 ljkycg.exe ljkycg.exe PID 1528 wrote to memory of 1996 1528 ljkycg.exe ljkycg.exe PID 1528 wrote to memory of 1996 1528 ljkycg.exe ljkycg.exe PID 1528 wrote to memory of 1996 1528 ljkycg.exe ljkycg.exe PID 1528 wrote to memory of 1996 1528 ljkycg.exe ljkycg.exe -
outlook_office_path 1 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe -
outlook_win_path 1 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD555064cc77a862a8c6a684e3895e199d4
SHA1f8f24a4c758e5d40cebd79810f7f55a2f32f0bf0
SHA256ab5cf8775675995721a3c974e6e819ae3a52410b06dc214a845a1037980660d8
SHA512abd7b44ff47ddfa5dd1909bad51df25377220fff0457771a92b6afe4c0cb7082493af91854859d0dd87ce86a59e04bb4afaaf3c65261bb00f092b6f847e2b6d5
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53