Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 02:19

General

  • Target

    1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js

  • Size

    7KB

  • MD5

    e961e6c85529967631d08dc53a13f0ae

  • SHA1

    53d75f1fd3dd3f5738b395d6e66147f8e934bc7b

  • SHA256

    1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98

  • SHA512

    f5ef8f0aa639238c6dde4d1e80cb6d80ab0ec8904eb4f2cfef332ae9b2e033bb2ee4cb1fc8012a7473dadd707e5847e6977d66c239e0efa3d95bd0cf8f787c4a

  • SSDEEP

    48:7PB7fqihtV7wGF7OE3qMdlwURxp7gltFYpHwmAhHmY6mn7U7f:7PB7fqihtNwm7OE3ZfJ7gltFYBZYh7yf

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ralt kojp vxay jkla

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 2 IoCs
  • Snakekeylogger family
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Wshrat family
  • Blocklisted process makes network request 27 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OPXCFY.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GxO.vbs"
          4⤵
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2348
          • C:\Windows\System32\wscript.exe
            "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GxO.vbs"
            5⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Adds Run key to start application
            PID:2436
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
          "C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\json[1].json

    Filesize

    291B

    MD5

    c085beeb6f771b90fed94c1d940f97f6

    SHA1

    44a994d9175d6abaa9a3b5718e242fa659aed66a

    SHA256

    ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51

    SHA512

    9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

  • C:\Users\Admin\AppData\Local\Temp\GxO.vbs

    Filesize

    861KB

    MD5

    2c38711037f77a66c571beca37212473

    SHA1

    dfcc23612a0b01f3be4e9dfe1158c0d878fafcf8

    SHA256

    cdb87f940c4a74c8c4f6e49881418b852cab544dd0c62f6201cb7e0f6825aada

    SHA512

    7e7b985e1d51b6cba3bf0e656d5dc1b358727d3c50334e5c4d0aac6f0a84b8ec29c4896a6a0d805d3eb8549600e636adb08491aa309f55ef61cc5e2dbbbcfda3

  • C:\Users\Admin\AppData\Local\Temp\OPXCFY.js

    Filesize

    1.8MB

    MD5

    5cbd790c1378134731dc246a81c93407

    SHA1

    5830dbee39be0a297112f0c370ec0fe262e3481a

    SHA256

    20db27c44f4d385c66f6753ce3afc9d9c7a89802f817f896c341c66636c2cd47

    SHA512

    b18cb8f6c4464d288ffcb601cdc4fb8b8a5da0c5702cc1ba27deafeb43dc7b7d998a0e9773fb93564fe93d6c55a24e4c66d96464a32c717e4e5d1bcf738349c8

  • C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js

    Filesize

    1.1MB

    MD5

    98580a656c68b3f635dc03194073f889

    SHA1

    08fc5771841b25dbdbb1ba2e6c519add747e4413

    SHA256

    0b2d1630032ee6b65cc35650f78a34487b8d784c6fb882340e44051f2b3b50ae

    SHA512

    0bc77b7e00030dd3adb8ae4769eeeff067b25595f0450de0827b2fcf8330713331f3922956aa5f8c3ef3ced7365db45a15ba3e8b625af13f40085cc1f090e89d

  • C:\Users\Admin\AppData\Local\Temp\ZqrN.exe

    Filesize

    129KB

    MD5

    ad1d0676362d866735f0d532f8e3d581

    SHA1

    a16badc35300527d38e9d3ff6af1c1e1265c5b39

    SHA256

    09251632adbf8aae4c9246ddc36375f66d41f0030c6adcc664dcf2773053735c

    SHA512

    e8685ed84b76ab0d0698b0dadc8af4d7a6481ab08656e22885c68a2172983e33feb462e21336911bab3600373381baca594cba48be5e07b7712e3e9b6e99d8c8

  • C:\Users\Admin\AppData\Local\Temp\adobe.js

    Filesize

    194KB

    MD5

    8ca638b30fea8a14b3de0e271a4fc225

    SHA1

    7c33f879a39b852f3e8b7d05ee3d240259696b5e

    SHA256

    58fd32619eed98484f0f071c1d18a81490ffccaf5be21836cbdbf5083e68662f

    SHA512

    548e6f7f62056217a2124524d08af30dab8f77368d44d175bf20c66d5babcacf97dfcf3d44cc3b60255d29d3d76ccc20413db9238f466265cda2347bde1a237f

  • memory/316-23-0x0000000000240000-0x0000000000266000-memory.dmp

    Filesize

    152KB