Overview

overview

10

Static

static

3

d3cd3076d9...75.exe

windows7-x64

7

d3cd3076d9...75.exe

windows10-2004-x64

10

xgvxyzvxwt.vbs

windows7-x64

1

xgvxyzvxwt.vbs

windows10-2004-x64

1

zhwhki.exe

windows7-x64

3

zhwhki.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_22627068c23fb27e7aaac9d20e3807c32324e7ff832eaa26548fd1ccfb9722ef

  • Size

    701KB

  • Sample

    241222-ek7qrasqhm

  • MD5

    3ca36a88b565e255b8531dafbe49eed3

  • SHA1

    6e13c3b48b521408c7650b9971e930c2833cbb63

  • SHA256

    22627068c23fb27e7aaac9d20e3807c32324e7ff832eaa26548fd1ccfb9722ef

  • SHA512

    d44a1b7b16ee527f8239791c5993b28cd6898aa2a66b55e6acc66449365d8423a2c34c2da6b6189fb1691c28a1df7978c87a4c983382c456c023e5cc686128e7

  • SSDEEP

    12288:8m6c3YbDOQ9q9G4H79j9tH9vLJzDFEn8Kg32uW2gHV/vC+DgBoI1Nh/VjfuyJEt9:n3Y/OQz4j19lNwU3vo8+DeNDjmoxGV

Score
10/10
snakekeyloggercollectioncredential_accessdiscoverykeyloggerpersistencespywarestealer

Malware Config

Targets

    • Target

      d3cd3076d9df007e13f80cb032ccceefb8017ef6f3ea80cc02b5f0f737405075.exe

    • Size

      713KB

    • MD5

      223c59e071cfa0c3931a18df26669606

    • SHA1

      666735c53a6fe5569d61598b5769f180089957ba

    • SHA256

      d3cd3076d9df007e13f80cb032ccceefb8017ef6f3ea80cc02b5f0f737405075

    • SHA512

      671a4c67c49b722ac0b971b122d4a5724ce05ee87e4dd05f6d8c7cccc89e0c23b30e3d482d4dc564f2c1a977b0e4787d01663c46f7680444c613860d8f3355af

    • SSDEEP

      12288:XJEm10Qb/p87R9ZUH4PJZhr3MKnkUqwSlJZRQbLv5BnPg5qC3hnuMd9A3Fu:XJT1jzp87RsHSfhDMKnkUTgZGLvbPKqI

    Score
    10/10
    discoverypersistencesnakekeyloggercollectioncredential_accesskeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      xgvxyzvxwt.au3

    • Size

      6KB

    • MD5

      cea25eafec4235e42120c4492dc98b5c

    • SHA1

      fa9a75cc2cdea3d78241b2b48573f0d7b75e9bc3

    • SHA256

      dde1986fe665769b139c1f90acde795ba56c87d3cf919cde2d17ba2a65f1a47b

    • SHA512

      dbe16e29af68d885790bf01b8f72de1879714ddc0f9e939fd169b5507966fc91df96de6c0dc1110482e16f7f1eeca0f9e5c546d151686b1251790e6197ffbc50

    • SSDEEP

      96:WRussTtP++tTYtRu8tdRussTtP++tRLPY8tORussRL8sURs/sYwIYTRP4/u8PqZj:WR7+QKYxP+QpUD0+ZncCF4SReT

    Score
    1/10
    behavioral3behavioral4

    • Target

      zhwhki.exe

    • Size

      925KB

    • MD5

      0adb9b817f1df7807576c2d7068dd931

    • SHA1

      4a1b94a9a5113106f40cd8ea724703734d15f118

    • SHA256

      98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    • SHA512

      883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

    • SSDEEP

      24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks