Overview

overview

10

Static

static

5

jopik.exe

windows10-ltsc_2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    jopik.exe

  • Size

    3.1MB

  • Sample

    250329-r3125swrw4

  • MD5

    25af61a744bdfb7be6e811a1119d55f6

  • SHA1

    c4352f21b66710e390592d50ae5914ce0c33cf56

  • SHA256

    babed92f8fa49db0ca046162e82f7e2403f33c4ca9ea5097ba981a5d3d365793

  • SHA512

    3b7bc8129c5fec44139d502b2c410680724bac368aa17094f6191d57e4f8fac182f28e86f8db512d0472e088540449171602a4f3b0db96b6811b7fb73f4580dc

  • SSDEEP

    98304:jqmG8KBY7G6G6GCKuuhjtdtyDzPcuBol:2mv/G6Yad7a

Score
10/10
dcratsalatstealercredential_accessdiscoveryexecutioninfostealerratspywarestealerupx

Malware Config

Targets

    • Target

      jopik.exe

    • Size

      3.1MB

    • MD5

      25af61a744bdfb7be6e811a1119d55f6

    • SHA1

      c4352f21b66710e390592d50ae5914ce0c33cf56

    • SHA256

      babed92f8fa49db0ca046162e82f7e2403f33c4ca9ea5097ba981a5d3d365793

    • SHA512

      3b7bc8129c5fec44139d502b2c410680724bac368aa17094f6191d57e4f8fac182f28e86f8db512d0472e088540449171602a4f3b0db96b6811b7fb73f4580dc

    • SSDEEP

      98304:jqmG8KBY7G6G6GCKuuhjtdtyDzPcuBol:2mv/G6Yad7a

    Score
    10/10
    dcratsalatstealercredential_accessdiscoveryexecutioninfostealerratspywarestealerupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Detect SalatStealer payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Salatstealer family

      salatstealer

    • salatstealer

      SalatStealer is a stealer that takes sceenshot written in Golang.

      stealersalatstealer

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Tasks