Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2023 18:34
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe
-
Size
328KB
-
MD5
ff81a14b73d0578f174ac77fda9afd59
-
SHA1
d6a94b13cd5bbc2bf9c611ef22420dc3310535f9
-
SHA256
d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0
-
SHA512
be966461531bd09f896357357bc5345dfc9d6237ab578a3c866e308b749410530bdef06a1fe4de81736149e2e381924954a534b86a23075f7962fc725c0d3426
-
SSDEEP
6144:UnPdudwD/EVDiMyfb+hYffxzElzvWVI9SrSLi1pS8Jqzrbh77f9U+:UnPdLbnb+OffpTI9xOqzJ39R
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3996-8-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/3996-10-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/3996-11-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/3996-13-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/3996-14-0x0000000002C00000-0x0000000002C24000-memory.dmp family_snakekeylogger behavioral2/memory/3996-27-0x0000000002F80000-0x0000000002F90000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
ljkycg.exeljkycg.exepid process 3848 ljkycg.exe 3996 ljkycg.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ljkycg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yyueenjjsoxxhc = "C:\\Users\\Admin\\AppData\\Roaming\\uqaajffoxxtdd\\xhhqmvvfbbkggp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ljkycg.exe\" " ljkycg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ljkycg.exedescription pid process target process PID 3848 set thread context of 3996 3848 ljkycg.exe ljkycg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ljkycg.exepid process 3996 ljkycg.exe 3996 ljkycg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ljkycg.exepid process 3848 ljkycg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ljkycg.exedescription pid process Token: SeDebugPrivilege 3996 ljkycg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exeljkycg.exedescription pid process target process PID 2812 wrote to memory of 3848 2812 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe ljkycg.exe PID 2812 wrote to memory of 3848 2812 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe ljkycg.exe PID 2812 wrote to memory of 3848 2812 NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe ljkycg.exe PID 3848 wrote to memory of 3996 3848 ljkycg.exe ljkycg.exe PID 3848 wrote to memory of 3996 3848 ljkycg.exe ljkycg.exe PID 3848 wrote to memory of 3996 3848 ljkycg.exe ljkycg.exe PID 3848 wrote to memory of 3996 3848 ljkycg.exe ljkycg.exe -
outlook_office_path 1 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe -
outlook_win_path 1 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0exe_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD555064cc77a862a8c6a684e3895e199d4
SHA1f8f24a4c758e5d40cebd79810f7f55a2f32f0bf0
SHA256ab5cf8775675995721a3c974e6e819ae3a52410b06dc214a845a1037980660d8
SHA512abd7b44ff47ddfa5dd1909bad51df25377220fff0457771a92b6afe4c0cb7082493af91854859d0dd87ce86a59e04bb4afaaf3c65261bb00f092b6f847e2b6d5
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53