Analysis
-
max time kernel
126s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
Items IMG16092024.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Items IMG16092024.pdf.exe
Resource
win10v2004-20240802-en
General
-
Target
Items IMG16092024.pdf.exe
-
Size
957KB
-
MD5
e24b9ef302a36051801a4d27e5563350
-
SHA1
f7ca82fcd4fc8d02f6135ee4da09e3d0277421f0
-
SHA256
337f2438ac48410b788b27c4d5a3668b67f1a7d5c1eb3d1c614dfd1652b5a42d
-
SHA512
5ebae13b999767baaa6ba52792b8da9e66c814911fe147a90b0e6b4b072533ca12f5447a40bb4832278c381e584223f4ad5dc5bdf8f3c656bf7e7451d7500ffe
-
SSDEEP
24576:jL7opqubED/7h4y9VATErHoJUG79VkxxKIR5e:rkFahvJrR290
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7444558447:AAHNIAHnG1YJbhdGtivj0iiHR8ECCeZ9fo4/sendMessage?chat_id=6981201194
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/756-1096-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2764 created 3420 2764 Items IMG16092024.pdf.exe 56 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jrrujjoouf = "C:\\Users\\Admin\\AppData\\Roaming\\Jrrujjoouf.exe" Items IMG16092024.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2764 set thread context of 756 2764 Items IMG16092024.pdf.exe 97 -
Program crash 1 IoCs
pid pid_target Process procid_target 4432 756 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Items IMG16092024.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2764 Items IMG16092024.pdf.exe 2764 Items IMG16092024.pdf.exe 756 InstallUtil.exe 756 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2764 Items IMG16092024.pdf.exe Token: SeDebugPrivilege 2764 Items IMG16092024.pdf.exe Token: SeDebugPrivilege 756 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97 PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97 PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97 PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97 PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97 PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97 PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97 PID 2764 wrote to memory of 756 2764 Items IMG16092024.pdf.exe 97
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\Items IMG16092024.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Items IMG16092024.pdf.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 14563⤵
- Program crash
PID:4432
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2152,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:4012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 756 -ip 7561⤵PID:2436