Analysis
-
max time kernel
125s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29-11-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
Bukti-Transfer.vbe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Bukti-Transfer.vbe
Resource
win10v2004-20241007-en
General
-
Target
Bukti-Transfer.vbe
-
Size
9KB
-
MD5
3a62dc625d7dd22fd4c2aba6e7058dd4
-
SHA1
2b264827a034a913128d9fb362a3b789005ba4f0
-
SHA256
895e3a8a58ca8d0b65bdb92d181ea4ebd53b479872e75c7455e892b58149cb38
-
SHA512
0872c46046e565a8d0866e95a57a7dd1d9a86e3f17eba48901ffc2d913c598c2b44b4d285c508ade8446ba64de44b00d9baa74a72b59cda506ea58f711145b7f
-
SSDEEP
192:FbmzV2nbm3m6G53Vm6z22m6THZKmQmjFm6TH8Mjm8bDmDj02IbmHKmvFnbmVFxVx:ZFbUIyKLK0LBrqPG
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
evqqlnwkcmogylje
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
evqqlnwkcmogylje - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000001653a-9.dat family_snakekeylogger behavioral1/memory/2712-11-0x0000000000B40000-0x0000000000B66000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1748 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2712 UYc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 UYc.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 UYc.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 UYc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 checkip.dyndns.org -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UYc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2712 UYc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2712 UYc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2712 UYc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2712 UYc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2928 1748 WScript.exe 30 PID 1748 wrote to memory of 2928 1748 WScript.exe 30 PID 1748 wrote to memory of 2928 1748 WScript.exe 30 PID 2928 wrote to memory of 2712 2928 WScript.exe 31 PID 2928 wrote to memory of 2712 2928 WScript.exe 31 PID 2928 wrote to memory of 2712 2928 WScript.exe 31 PID 2928 wrote to memory of 2712 2928 WScript.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 UYc.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 UYc.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bukti-Transfer.vbe"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GAXYEO.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\UYc.exe"C:\Users\Admin\AppData\Local\Temp\UYc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5d66c8c34543b9c55c6a3b5f65399e54d
SHA176f8063ce1dea46a096e6151edf9713374e84eb6
SHA256c69f5db538d67904adc6d53c663253c9534c8c8e2398264da0b794e3f6971c91
SHA51234b8dfebaebcc6f46d175e89869152129bcead07da9f91ee3c14824c2ef8a0399810e7bd18be6c63a192584672a13d4f1e7cacc8ec41c3e514ae7b59afa260b1
-
Filesize
127KB
MD51059945eca2d1f4c6353dd139c384b94
SHA156c115c71e1c545415cdbbeb1acace1bb19860ff
SHA2569751d1f8ca5488e5a17426d2d92af5daf7761deec3b7c9ccab0769d9cd25e49c
SHA512a4794448080ea34b3bd0ff48bd5f4db3dbf4db60a99d29ae98c3f73e438e164ddd5acc22cbbfdd987880da3c80f58a5ac1ee1ac1e66c996296406b757cee2e67