Overview
overview
10Static
static
10jjsploit.rar
windows7-x64
3jjsploit.rar
windows10-2004-x64
3jjsploit.exe
windows7-x64
7jjsploit.exe
windows10-2004-x64
9discord_to...er.pyc
windows7-x64
3discord_to...er.pyc
windows10-2004-x64
3get_cookies.pyc
windows7-x64
3get_cookies.pyc
windows10-2004-x64
3misc.pyc
windows7-x64
3misc.pyc
windows10-2004-x64
3passwords_grabber.pyc
windows7-x64
3passwords_grabber.pyc
windows10-2004-x64
3source_prepared.pyc
windows7-x64
3source_prepared.pyc
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 21:01
Behavioral task
behavioral1
Sample
jjsploit.rar
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
jjsploit.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
jjsploit.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
jjsploit.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
discord_token_grabber.pyc
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
discord_token_grabber.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
get_cookies.pyc
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
get_cookies.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
misc.pyc
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
misc.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
passwords_grabber.pyc
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
passwords_grabber.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
source_prepared.pyc
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
source_prepared.pyc
Resource
win10v2004-20240802-en
General
-
Target
passwords_grabber.pyc
-
Size
7KB
-
MD5
91bebfc811f4706852fc415d7b2cc836
-
SHA1
26a7645c5b2590a29bb403cb7be00c3ad5e575b3
-
SHA256
fb77fa8b2407db4127a67e37188e0d722c981280b605f6173d737f39e3582dce
-
SHA512
1e5ad7a82f60df0d8bc048ff31ca716cc93d1e167ef9f53e916a608b5a7709f884b657854848a9b6e586f994c010f00dba55c9c76f864b93594ff2ce9fddbadd
-
SSDEEP
192:h114qWLfhuUIxDPK2cxDJb+XUhitovgEuz:V4qWLfMFyVxDAE/4
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2720 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2720 AcroRd32.exe 2720 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 2544 wrote to memory of 284 2544 cmd.exe 31 PID 2544 wrote to memory of 284 2544 cmd.exe 31 PID 2544 wrote to memory of 284 2544 cmd.exe 31 PID 284 wrote to memory of 2720 284 rundll32.exe 32 PID 284 wrote to memory of 2720 284 rundll32.exe 32 PID 284 wrote to memory of 2720 284 rundll32.exe 32 PID 284 wrote to memory of 2720 284 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a78fd3a73af51e754e2f3964a64c1b5d
SHA1526ac0cccee463b1f140e0696422f39ca4123464
SHA256be37c91804921fc634185d840143583f6dac5c16fdc21196c3a20646f070d5b0
SHA5120e6cb96d98e609168b6fb8a017b7aa8b59ea7c90e313a5c18e6797f9394bcde506b3f73df68d1f78b691ca62dda0508a62e7a3404e0db7f4b714c9a8a475e91e