snakekeylogger | 7c6d1379dd3786047f63cb90f2f318c00ac1483c6a5f6e00ad8efb6240a6548c

General

Target

6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
Size

1.2MB
MD5

6f9a9e4bf7982b48dda0ba7fd67c39d7
SHA1

41d9e74977d68ce1744744e6bfe0171d6b4b895e
SHA256

7c6d1379dd3786047f63cb90f2f318c00ac1483c6a5f6e00ad8efb6240a6548c
SHA512

03f450beb73ada241517cc8f03f48b4b4268a52766742e25e77fdab0ab0b916a29c6429a6a23c82991ff71571b76899db42b3dca8251dcda2385598ce19a894e

Score

10^/10

snakekeylogger keylogger persistence ransomware spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2576-29-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger
behavioral2/memory/2576-30-0x0000000000463B7E-mapping.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

Processes:

rokg.exeInstallUtil.exe

pid process

2188 rokg.exe
2576 InstallUtil.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2188	rokg.exe
2576	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\bme = "C:\\Users\\Admin\\rokg.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 freegeoip.app
25 freegeoip.app
21 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

rokg.exe

description pid process target process

PID 2188 set thread context of 2576 2188 rokg.exe InstallUtil.exe

flow	ioc
24	freegeoip.app
25	freegeoip.app
21	checkip.dyndns.org

description	pid	process	target process
PID 2188 set thread context of 2576	2188	rokg.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

6f9a9e4bf7982b48dda0ba7fd67c39d7.exerokg.exeInstallUtil.exe

pid	process
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
2188	rokg.exe
2188	rokg.exe
2576	InstallUtil.exe
2576	InstallUtil.exe
2576	InstallUtil.exe
2576	InstallUtil.exe
2576	InstallUtil.exe
2576	InstallUtil.exe
2576	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6f9a9e4bf7982b48dda0ba7fd67c39d7.exerokg.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
Token: SeDebugPrivilege	2188	rokg.exe
Token: SeDebugPrivilege	2576	InstallUtil.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6f9a9e4bf7982b48dda0ba7fd67c39d7.execmd.exerokg.exe

description	pid	process	target process
PID 4052 wrote to memory of 3728	4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe	cmd.exe
PID 4052 wrote to memory of 3728	4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe	cmd.exe
PID 4052 wrote to memory of 3728	4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe	cmd.exe
PID 3728 wrote to memory of 3712	3728	cmd.exe	reg.exe
PID 3728 wrote to memory of 3712	3728	cmd.exe	reg.exe
PID 3728 wrote to memory of 3712	3728	cmd.exe	reg.exe
PID 4052 wrote to memory of 2188	4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe	rokg.exe
PID 4052 wrote to memory of 2188	4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe	rokg.exe
PID 4052 wrote to memory of 2188	4052	6f9a9e4bf7982b48dda0ba7fd67c39d7.exe	rokg.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe
PID 2188 wrote to memory of 2576	2188	rokg.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\6f9a9e4bf7982b48dda0ba7fd67c39d7.exe
"C:\Users\Admin\AppData\Local\Temp\6f9a9e4bf7982b48dda0ba7fd67c39d7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bme" /t REG_SZ /d "C:\Users\Admin\rokg.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bme" /t REG_SZ /d "C:\Users\Admin\rokg.exe"
    3⤵
    - Adds Run key to start application
    PID:3712
- C:\Users\Admin\rokg.exe
  "C:\Users\Admin\rokg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\rokg.exe

MD5
6f9a9e4bf7982b48dda0ba7fd67c39d7

SHA1
41d9e74977d68ce1744744e6bfe0171d6b4b895e

SHA256
7c6d1379dd3786047f63cb90f2f318c00ac1483c6a5f6e00ad8efb6240a6548c

SHA512
03f450beb73ada241517cc8f03f48b4b4268a52766742e25e77fdab0ab0b916a29c6429a6a23c82991ff71571b76899db42b3dca8251dcda2385598ce19a894e

Download Submit
C:\Users\Admin\rokg.exe

MD5
6f9a9e4bf7982b48dda0ba7fd67c39d7

SHA1
41d9e74977d68ce1744744e6bfe0171d6b4b895e

SHA256
7c6d1379dd3786047f63cb90f2f318c00ac1483c6a5f6e00ad8efb6240a6548c

SHA512
03f450beb73ada241517cc8f03f48b4b4268a52766742e25e77fdab0ab0b916a29c6429a6a23c82991ff71571b76899db42b3dca8251dcda2385598ce19a894e

Download Submit
memory/2188-14-0x0000000000000000-mapping.dmp

Download
memory/2188-28-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/2188-27-0x0000000008C90000-0x0000000008C9B000-memory.dmp

Filesize
44KB

Download
memory/2188-26-0x0000000002871000-0x0000000002872000-memory.dmp

Filesize
4KB

Download
memory/2188-23-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2188-17-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-29-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2576-36-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2576-41-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/2576-39-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/2576-38-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2576-33-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-30-0x0000000000463B7E-mapping.dmp

Download
memory/3712-12-0x0000000000000000-mapping.dmp

Download
memory/3728-11-0x0000000000000000-mapping.dmp

Download
memory/4052-6-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4052-2-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-8-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/4052-5-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4052-3-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4052-9-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4052-13-0x0000000005251000-0x0000000005252000-memory.dmp

Filesize
4KB

Download
memory/4052-10-0x0000000008560000-0x0000000008561000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads