Overview

overview

10

Static

static

1

1f0ef4fc5a...b98.js

windows7-x64

10

1f0ef4fc5a...b98.js

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js

  • Size

    7KB

  • MD5

    e961e6c85529967631d08dc53a13f0ae

  • SHA1

    53d75f1fd3dd3f5738b395d6e66147f8e934bc7b

  • SHA256

    1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98

  • SHA512

    f5ef8f0aa639238c6dde4d1e80cb6d80ab0ec8904eb4f2cfef332ae9b2e033bb2ee4cb1fc8012a7473dadd707e5847e6977d66c239e0efa3d95bd0cf8f787c4a

  • SSDEEP

    48:7PB7fqihtV7wGF7OE3qMdlwURxp7gltFYpHwmAhHmY6mn7U7f:7PB7fqihtNwm7OE3ZfJ7gltFYBZYh7yf

Score
10/10
snakekeyloggerwshratcollectiondiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ralt kojp vxay jkla

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Snakekeylogger family
    snakekeylogger
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Wshrat family
    wshrat
  • Blocklisted process makes network request 27 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OPXCFY.js"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GxO.vbs"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\System32\wscript.exe
            "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GxO.vbs"
            5⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Adds Run key to start application
            PID:3568
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
          "C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRPPE7V2\json[1].json
    Filesize

    291B

    MD5

    c085beeb6f771b90fed94c1d940f97f6

    SHA1

    44a994d9175d6abaa9a3b5718e242fa659aed66a

    SHA256

    ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51

    SHA512

    9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GxO.vbs
    Filesize

    861KB

    MD5

    2c38711037f77a66c571beca37212473

    SHA1

    dfcc23612a0b01f3be4e9dfe1158c0d878fafcf8

    SHA256

    cdb87f940c4a74c8c4f6e49881418b852cab544dd0c62f6201cb7e0f6825aada

    SHA512

    7e7b985e1d51b6cba3bf0e656d5dc1b358727d3c50334e5c4d0aac6f0a84b8ec29c4896a6a0d805d3eb8549600e636adb08491aa309f55ef61cc5e2dbbbcfda3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OPXCFY.js
    Filesize

    1.8MB

    MD5

    5cbd790c1378134731dc246a81c93407

    SHA1

    5830dbee39be0a297112f0c370ec0fe262e3481a

    SHA256

    20db27c44f4d385c66f6753ce3afc9d9c7a89802f817f896c341c66636c2cd47

    SHA512

    b18cb8f6c4464d288ffcb601cdc4fb8b8a5da0c5702cc1ba27deafeb43dc7b7d998a0e9773fb93564fe93d6c55a24e4c66d96464a32c717e4e5d1bcf738349c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js
    Filesize

    1.1MB

    MD5

    98580a656c68b3f635dc03194073f889

    SHA1

    08fc5771841b25dbdbb1ba2e6c519add747e4413

    SHA256

    0b2d1630032ee6b65cc35650f78a34487b8d784c6fb882340e44051f2b3b50ae

    SHA512

    0bc77b7e00030dd3adb8ae4769eeeff067b25595f0450de0827b2fcf8330713331f3922956aa5f8c3ef3ced7365db45a15ba3e8b625af13f40085cc1f090e89d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
    Filesize

    129KB

    MD5

    ad1d0676362d866735f0d532f8e3d581

    SHA1

    a16badc35300527d38e9d3ff6af1c1e1265c5b39

    SHA256

    09251632adbf8aae4c9246ddc36375f66d41f0030c6adcc664dcf2773053735c

    SHA512

    e8685ed84b76ab0d0698b0dadc8af4d7a6481ab08656e22885c68a2172983e33feb462e21336911bab3600373381baca594cba48be5e07b7712e3e9b6e99d8c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\adobe.js
    Filesize

    194KB

    MD5

    8ca638b30fea8a14b3de0e271a4fc225

    SHA1

    7c33f879a39b852f3e8b7d05ee3d240259696b5e

    SHA256

    58fd32619eed98484f0f071c1d18a81490ffccaf5be21836cbdbf5083e68662f

    SHA512

    548e6f7f62056217a2124524d08af30dab8f77368d44d175bf20c66d5babcacf97dfcf3d44cc3b60255d29d3d76ccc20413db9238f466265cda2347bde1a237f

    Download Submit

  • memory/220-29-0x0000000005200000-0x00000000057A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/220-30-0x0000000004D50000-0x0000000004DEC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/220-40-0x00000000061C0000-0x0000000006210000-memory.dmp

    Filesize

    320KB

    Download

  • memory/220-41-0x00000000063E0000-0x00000000065A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/220-42-0x00000000062B0000-0x0000000006342000-memory.dmp

    Filesize

    584KB

    Download

  • memory/220-43-0x0000000006260000-0x000000000626A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/220-28-0x0000000000340000-0x0000000000366000-memory.dmp

    Filesize

    152KB

    Download