Overview

overview

10

Static

static

3

FOB offer_...DF.exe

windows7-x64

10

FOB offer_...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20c6ec74ad1e43aae5b69aea6d4b1b42_JaffaCakes118

  • Size

    409KB

  • Sample

    240703-czfjpsxckj

  • MD5

    20c6ec74ad1e43aae5b69aea6d4b1b42

  • SHA1

    c3e8ee2d6efed15ec0669e15936bb31c86d8c102

  • SHA256

    cd7cf68e758b93adf5235975a60ec227768dd5b2fd22ae7bf16f2ab7abd649cb

  • SHA512

    63fa857d2944b0b07b44830df3b4c6c2925f5a7a5f3d359466ce75f0e78219186741e05401edd068f320fca2c96f0523c6538ffc748b93d80f81ac87e86afe08

  • SSDEEP

    12288:UVWNvMd9BHHTGwjqHLp0t11KxV+2Oq3Gkd670ltclpErwc:UVwvwLHHTGZKH2+2OqWkYStc4Mc

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1684630187:AAEFGY0BaXEw8hZkuUl0wQsqybjnS4xy6Zg/sendMessage?chat_id=1293496579

Targets

    • Target

      FOB offer_1164087223_I0133P2100363812.PDF.exe

    • Size

      10.3MB

    • MD5

      7ba4d4c9cf05251587bfb06b0a7fd771

    • SHA1

      97d174a9b79922c51f2082e5276612d2893f4f0b

    • SHA256

      533c04ac4af3d1f5f5fa6acfedb144d5b48cff0625fb1c6b78d60f177e71bd0f

    • SHA512

      f8b6c0884c7e9f0e88afda32377c14e659ea8859c6eaa4566242610f4cb1d973225eed6df95f4bdbfbe861130a854eaf38559ce9ef8d3cfe29a7d9a272b523d1

    • SSDEEP

      24576:zCbYQjoBg3Jv4vtUg3IqZKWVsmFtrY1f+:4oBGuKg3IqZKWVpjk

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks