Analysis
-
max time kernel
157s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2023 18:37
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe
-
Size
280KB
-
MD5
2af24dbf80882f85fcb9b44324f915c6
-
SHA1
d9e77d1e4cfe4e086872b9b5b56a028733e38334
-
SHA256
57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800
-
SHA512
18347b6a48a6c97c74dcf99088347594c3a8684c2c99f1058d7c1b345240e8c1c4734b98727c089a19e0ce5910c18f4c5013e9aecf8975531253cb50cd63eec4
-
SSDEEP
6144:Oi6hMrvVvL6mqARyhHhnLiyTAbU3vWeq06zvyduQpxp0Un0QEai7uxnZgalZRndl:Oi6hMrvJLcuylhtAg3Oeq06zKduEb0U7
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.azebal.com - Port:
587 - Username:
[email protected] - Password:
#*ehEFidm0 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5664-1-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 freegeoip.app 12 checkip.dyndns.org 14 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exedescription pid process target process PID 3544 set thread context of 5664 3544 NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 5664 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exepid process 3544 NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MSBuild.exedw20.exedescription pid process Token: SeDebugPrivilege 5664 MSBuild.exe Token: SeRestorePrivilege 4176 dw20.exe Token: SeBackupPrivilege 4176 dw20.exe Token: SeBackupPrivilege 4176 dw20.exe Token: SeBackupPrivilege 4176 dw20.exe Token: SeBackupPrivilege 4176 dw20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exeMSBuild.exedescription pid process target process PID 3544 wrote to memory of 5664 3544 NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe MSBuild.exe PID 3544 wrote to memory of 5664 3544 NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe MSBuild.exe PID 3544 wrote to memory of 5664 3544 NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe MSBuild.exe PID 3544 wrote to memory of 5664 3544 NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe MSBuild.exe PID 5664 wrote to memory of 4176 5664 MSBuild.exe dw20.exe PID 5664 wrote to memory of 4176 5664 MSBuild.exe dw20.exe PID 5664 wrote to memory of 4176 5664 MSBuild.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.57026ff81a3a9033eaf856d3b36a72d12e613e5227b7740abe4ccca6e95e1800exe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5664 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 18003⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4176