snakekeylogger | ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958

General

Target

REQUIRED UPDATED SOA.pdf.exe
Size

591KB
MD5

ee7673e9718c0ea2c15cc3b75548fea6
SHA1

04fe416ede15f7a0873609fe0660263a6cb7dd95
SHA256

ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958
SHA512

5077e3d64e5309eb54d4e1c85b121847d0a038301008e0c0a732303e6be85ebd9e6553c662268530110233babe4f8dce7156c2a58398ca827818892713245328

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4004-7-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
12 freegeoip.app
13 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

REQUIRED UPDATED SOA.pdf.exe

description pid process target process

PID 756 set thread context of 4004 756 REQUIRED UPDATED SOA.pdf.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3908 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

4004 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

REQUIRED UPDATED SOA.pdf.exe

pid process

756 REQUIRED UPDATED SOA.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 4004 MSBuild.exe

flow	ioc
7	checkip.dyndns.org
12	freegeoip.app
13	freegeoip.app

description	pid	process	target process
PID 756 set thread context of 4004	756	REQUIRED UPDATED SOA.pdf.exe	MSBuild.exe

pid	process
3908	schtasks.exe

pid	process
4004	MSBuild.exe

pid	process
756	REQUIRED UPDATED SOA.pdf.exe

description	pid	process
Token: SeDebugPrivilege	4004	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

REQUIRED UPDATED SOA.pdf.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 3824	756	REQUIRED UPDATED SOA.pdf.exe	cmd.exe
PID 756 wrote to memory of 3824	756	REQUIRED UPDATED SOA.pdf.exe	cmd.exe
PID 756 wrote to memory of 3824	756	REQUIRED UPDATED SOA.pdf.exe	cmd.exe
PID 756 wrote to memory of 4004	756	REQUIRED UPDATED SOA.pdf.exe	MSBuild.exe
PID 756 wrote to memory of 4004	756	REQUIRED UPDATED SOA.pdf.exe	MSBuild.exe
PID 756 wrote to memory of 4004	756	REQUIRED UPDATED SOA.pdf.exe	MSBuild.exe
PID 756 wrote to memory of 4004	756	REQUIRED UPDATED SOA.pdf.exe	MSBuild.exe
PID 3824 wrote to memory of 3908	3824	cmd.exe	schtasks.exe
PID 3824 wrote to memory of 3908	3824	cmd.exe	schtasks.exe
PID 3824 wrote to memory of 3908	3824	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\REQUIRED UPDATED SOA.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REQUIRED UPDATED SOA.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\a249e9defd4e4abc8bec7fe2e6447734.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\a249e9defd4e4abc8bec7fe2e6447734.xml"
3⤵
- Creates scheduled task(s)
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\REQUIRED UPDATED SOA.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a249e9defd4e4abc8bec7fe2e6447734.xml
MD5
aa2f6636e997aaa0b01fbc78b1dabe52

SHA1
fd462100fc91975dcbea8e361cf1eb8a70f6ad54

SHA256
d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

SHA512
6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

Download Submit
memory/3824-2-0x0000000000000000-mapping.dmp

Download
memory/3908-4-0x0000000000000000-mapping.dmp

Download
memory/4004-3-0x00000000004643AE-mapping.dmp

Download
memory/4004-6-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/4004-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4004-9-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4004-10-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4004-11-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/4004-12-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/4004-13-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/4004-14-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads