snakekeylogger | f53b0fa70af0d73053259d43ea39414707a6472b793d561220aee8b21ceb8436

General

Target

CHIKWA.exe
Size

35KB
MD5

add9b88583e5da86b52a7747ebdff087
SHA1

277ac2d7b74ba414126c187e22ee93bbde025060
SHA256

f53b0fa70af0d73053259d43ea39414707a6472b793d561220aee8b21ceb8436
SHA512

679d8f135473a1d926868528859542d69198e2d62365cb7e7d7b61ba9ba7a82cb2329da04e0308a8b0237f1d63e2674f6bd72b77ad13100f2ea8b5a5e4ec2bce

Score

10^/10

snakekeylogger keylogger persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

CHIKWA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA.exe\""	CHIKWA.exe

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/296-6-0x00000000053D0000-0x0000000005463000-memory.dmp	family_snakekeylogger
behavioral1/memory/1512-7-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral1/memory/1512-8-0x000000000046571E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1680-12-0x000000000046571E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1512-13-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral1/memory/1836-17-0x000000000046571E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1516-21-0x000000000046571E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1340-27-0x000000000046571E-mapping.dmp	family_snakekeylogger

Drops startup file 2 IoCs

Processes:

CHIKWA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA.exe	CHIKWA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA.exe	CHIKWA.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CHIKWA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA.exe"	CHIKWA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHIKWA.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA.exe"	CHIKWA.exe

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
40	freegeoip.app
41	freegeoip.app
12	checkip.dyndns.org
13	checkip.dyndns.org
36	freegeoip.app
37	freegeoip.app
39	freegeoip.app
11	checkip.dyndns.org
14	checkip.dyndns.org
35	freegeoip.app
38	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

CHIKWA.exe

pid	process
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe
296	CHIKWA.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

CHIKWA.exe

description	pid	process	target process
PID 296 set thread context of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 set thread context of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 set thread context of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 set thread context of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 set thread context of 1340	296	CHIKWA.exe	CHIKWA.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

CHIKWA.exeCHIKWA.exeCHIKWA.exeCHIKWA.exeCHIKWA.exeCHIKWA.exe

pid	process
296	CHIKWA.exe
1512	CHIKWA.exe
1836	CHIKWA.exe
1680	CHIKWA.exe
1516	CHIKWA.exe
1340	CHIKWA.exe
1516	CHIKWA.exe
1836	CHIKWA.exe
1516	CHIKWA.exe
1836	CHIKWA.exe
1836	CHIKWA.exe
1516	CHIKWA.exe
1836	CHIKWA.exe
1516	CHIKWA.exe
1836	CHIKWA.exe
1516	CHIKWA.exe
1836	CHIKWA.exe
1516	CHIKWA.exe
1680	CHIKWA.exe
1680	CHIKWA.exe
1680	CHIKWA.exe
1680	CHIKWA.exe
1680	CHIKWA.exe
1680	CHIKWA.exe
1680	CHIKWA.exe
1516	CHIKWA.exe
1836	CHIKWA.exe
1512	CHIKWA.exe
1512	CHIKWA.exe
1512	CHIKWA.exe
1512	CHIKWA.exe
1512	CHIKWA.exe
1512	CHIKWA.exe
1512	CHIKWA.exe
1340	CHIKWA.exe
1340	CHIKWA.exe
1340	CHIKWA.exe
1340	CHIKWA.exe
1340	CHIKWA.exe
1340	CHIKWA.exe
1340	CHIKWA.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

CHIKWA.exeCHIKWA.exeCHIKWA.exeCHIKWA.exeCHIKWA.exeCHIKWA.exe

description	pid	process
Token: SeDebugPrivilege	296	CHIKWA.exe
Token: SeDebugPrivilege	1512	CHIKWA.exe
Token: SeDebugPrivilege	1836	CHIKWA.exe
Token: SeDebugPrivilege	1680	CHIKWA.exe
Token: SeDebugPrivilege	1516	CHIKWA.exe
Token: SeDebugPrivilege	1340	CHIKWA.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

CHIKWA.exe

description	pid	process	target process
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1512	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1680	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1836	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1516	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe
PID 296 wrote to memory of 1340	296	CHIKWA.exe	CHIKWA.exe

C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-11-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/296-3-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/296-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/296-6-0x00000000053D0000-0x0000000005463000-memory.dmp

Filesize
588KB

Download
memory/296-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/1340-29-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/1340-27-0x000000000046571E-mapping.dmp

Download
memory/1340-36-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1512-10-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/1512-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1512-8-0x000000000046571E-mapping.dmp

Download
memory/1512-33-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1512-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1516-25-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/1516-21-0x000000000046571E-mapping.dmp

Download
memory/1516-37-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/1680-14-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/1680-32-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1680-12-0x000000000046571E-mapping.dmp

Download
memory/1836-31-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1836-18-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/1836-17-0x000000000046571E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads