Overview
overview
10Static
static
10jjsploit.rar
windows7-x64
3jjsploit.rar
windows10-2004-x64
3jjsploit.exe
windows7-x64
7jjsploit.exe
windows10-2004-x64
9discord_to...er.pyc
windows7-x64
3discord_to...er.pyc
windows10-2004-x64
3get_cookies.pyc
windows7-x64
3get_cookies.pyc
windows10-2004-x64
3misc.pyc
windows7-x64
3misc.pyc
windows10-2004-x64
3passwords_grabber.pyc
windows7-x64
3passwords_grabber.pyc
windows10-2004-x64
3source_prepared.pyc
windows7-x64
3source_prepared.pyc
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 21:01
Behavioral task
behavioral1
Sample
jjsploit.rar
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
jjsploit.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
jjsploit.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
jjsploit.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
discord_token_grabber.pyc
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
discord_token_grabber.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
get_cookies.pyc
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
get_cookies.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
misc.pyc
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
misc.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
passwords_grabber.pyc
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
passwords_grabber.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
source_prepared.pyc
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
source_prepared.pyc
Resource
win10v2004-20240802-en
General
-
Target
discord_token_grabber.pyc
-
Size
15KB
-
MD5
00f03a943b3dd6a58279bbff482099c8
-
SHA1
56c88f03a5f5d5abae141bc94bf287ce41347dbd
-
SHA256
5065f9a9e6699be80d98291b3e9896330dd2595373e5ca58ced55934b2865a90
-
SHA512
01b462a02fdab26596f42b3feb783252cebc4a3132e1ef9c73660a74c7e9de2dedebe7e69cf795183dc7bd2baeccea9596387ebd285b263067e30fb681671db6
-
SSDEEP
384:YGC7RYmnXavkGP3ltcrhntQ5saa2holHVA:YGCuvkoltcrttQ5saaCgHVA
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2808 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2808 AcroRd32.exe 2808 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 1904 wrote to memory of 2644 1904 cmd.exe 32 PID 1904 wrote to memory of 2644 1904 cmd.exe 32 PID 1904 wrote to memory of 2644 1904 cmd.exe 32 PID 2644 wrote to memory of 2808 2644 rundll32.exe 33 PID 2644 wrote to memory of 2808 2644 rundll32.exe 33 PID 2644 wrote to memory of 2808 2644 rundll32.exe 33 PID 2644 wrote to memory of 2808 2644 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5605929d3373965275169c4ee1d527b40
SHA146a7ee116980426689ac5d2b0058a24b15653ea2
SHA25671d4a7736fe9c2552b3aa97afd1b449ad129f70f65937332a2a9b34348e7c308
SHA512e7cad6d5005209dcb9b2418b96e0c7f83b2695884b287272d6dcb4df20178a44d02c2a729c0e72ba04ee2f8212e95b9704a490f443ae73be7e10e0d1269e27c3