snakekeylogger | d0ecdf88e56cae4a5c2c759246b97163beb6f63023593a1aee00ee896efe6a16

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase_Order.PDF.js
Size

1.7MB
MD5

06bf8ca73f44aa2aec54c41c4c20d3d3
SHA1

9862b9785b61b42dc8fef4e3ecb8319e2d7c7710
SHA256

d0ecdf88e56cae4a5c2c759246b97163beb6f63023593a1aee00ee896efe6a16
SHA512

84366dd9a5324d8fe98d31383dc13ae52c5a72600afafc1e396416f2b34c6a42db7b09e8571bab343fb894aa7e7b69afcb5542eb8f5f411b570d343288ddd6e8
SSDEEP

24576:AuzJmDrkb8kjVaj3cWZUYUNa/US5ZZ2BsiH8pM0:1JmDrkAk9jk/UPd8B

Score

10^/10

snakekeylogger wshrat collection discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nbwz jvfz fmek ghid

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nbwz jvfz fmek ghid

Extracted

Family

wshrat

http://185.17.40.142:5086

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/492-40-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/492-39-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/492-37-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/492-34-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/492-32-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 29 IoCs

flow	pid	Process
3	2660	wscript.exe
5	2660	wscript.exe
6	2660	wscript.exe
8	2660	wscript.exe
9	2660	wscript.exe
14	2660	wscript.exe
16	2660	wscript.exe
19	2660	wscript.exe
20	2660	wscript.exe
22	2660	wscript.exe
23	2660	wscript.exe
24	2660	wscript.exe
26	2660	wscript.exe
27	2660	wscript.exe
28	2660	wscript.exe
30	2660	wscript.exe
31	2660	wscript.exe
32	2660	wscript.exe
34	2660	wscript.exe
35	2660	wscript.exe
36	2660	wscript.exe
38	2660	wscript.exe
39	2660	wscript.exe
40	2660	wscript.exe
42	2660	wscript.exe
43	2660	wscript.exe
44	2660	wscript.exe
46	2660	wscript.exe
47	2660	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	Hvwjy.exe
492	Hvwjy.exe

Loads dropped DLL 1 IoCs

pid	Process
2864	Hvwjy.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 492	2864	Hvwjy.exe	38

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hvwjy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hvwjy.exe

Script User-Agent 29 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	30	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	36	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	28	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	32	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	6	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	23	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	24	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	9	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	39	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	42	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	44	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	5	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	26	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	31	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	35	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	43	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	34	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	46	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	8	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	16	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	22	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	40	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	14	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	27	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	38	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	19	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	20	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript
HTTP User-Agent header	47	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/11/2024\|JavaScript

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2864	Hvwjy.exe
2864	Hvwjy.exe
2864	Hvwjy.exe
2864	Hvwjy.exe
2864	Hvwjy.exe
2864	Hvwjy.exe
492	Hvwjy.exe
492	Hvwjy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	Hvwjy.exe
Token: SeDebugPrivilege	492	Hvwjy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
492	Hvwjy.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2264	2072	wscript.exe	31
PID 2072 wrote to memory of 2264	2072	wscript.exe	31
PID 2072 wrote to memory of 2264	2072	wscript.exe	31
PID 2072 wrote to memory of 2944	2072	wscript.exe	32
PID 2072 wrote to memory of 2944	2072	wscript.exe	32
PID 2072 wrote to memory of 2944	2072	wscript.exe	32
PID 2944 wrote to memory of 2864	2944	WScript.exe	33
PID 2944 wrote to memory of 2864	2944	WScript.exe	33
PID 2944 wrote to memory of 2864	2944	WScript.exe	33
PID 2944 wrote to memory of 2864	2944	WScript.exe	33
PID 2264 wrote to memory of 2660	2264	WScript.exe	34
PID 2264 wrote to memory of 2660	2264	WScript.exe	34
PID 2264 wrote to memory of 2660	2264	WScript.exe	34
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38
PID 2864 wrote to memory of 492	2864	Hvwjy.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.PDF.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\word.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2660
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe
    "C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe
      "C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe

Filesize
706KB

MD5
e1500a569b0f034f24d558f661d129c9

SHA1
6f2448b29980d1121df22d7699d2cd68cc88f736

SHA256
580ca5b59e248df91a65a54560d314869dd38b9858628a1a3ebac29863f06674

SHA512
f80f13fbb632fc21f0008082fe886a12c7409d9ac5a9b9fcfea61bd18b1a9044450e96ee8cd029f1145e687e74088a84df1e80e29648f13a698680f97e366f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.js

Filesize
962KB

MD5
0fb453466a45c5ed5a9de568d786d5a6

SHA1
c12835633e6ade4133c855b2ed2468588771f0e2

SHA256
dd448c5bfacedd7d7e25b35a5802ed6aebf5ac07676dc47178b11b831119bb7a

SHA512
2c11139c2343adff8a985d4268dc4ac367848140548ca4730e3064897e4eda92a6f4787747686d5da20b50ffdf9928e3da0107da8af7035c4a4e7b18c666866e

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
283KB

MD5
c4951435e2094fc38024666feecf15c5

SHA1
72f5d95a873daaabbc3a71e363aca9394b017a70

SHA256
68af64912a0e81ab0576ec5e5e5317a345e2cd692312a3e31262058ecfcfaa66

SHA512
d8ed79f874661d4ad085cf8e3721c002755fb2cc0a14cb726f9edd9a7e00cf8308cc89676f61b4165c6ddf25368582403744cef8a646a6981f5a8c8682af0e4b

Download Submit
memory/492-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/492-28-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/492-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/492-40-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/492-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/492-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/492-34-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/492-32-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-21-0x0000000000BE0000-0x0000000000BFC000-memory.dmp

Filesize
112KB

Download
memory/2864-24-0x00000000056D0000-0x000000000573C000-memory.dmp

Filesize
432KB

Download
memory/2864-20-0x0000000000040000-0x00000000000F2000-memory.dmp

Filesize
712KB

Download