snakekeylogger | 921ea85f3c9d84dde8b418204182e995e6ee76d4e535040011ae3f2d38f0567a

General

Target

Important document.js
Size

500KB
MD5

65844424ec024268d4fae0eed0ac3ae3
SHA1

0da1d25fef40ebfe9402e9cb9eece1a5910f8a4d
SHA256

921ea85f3c9d84dde8b418204182e995e6ee76d4e535040011ae3f2d38f0567a
SHA512

36399426a509ffe9c3efacedb7444118efe6b12b17d9ec95cb5a94844fd0f6842421370a3d0845452ee34a25d4763c0d2b54e6766041d6b30dc81b93847801b5

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5586430366:AAFjeHBk7bdKMUv-eDHosbyPidpPJlQ0mrE/sendMessage?chat_id=1919487512

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Tempwinlogon.exe	family_snakekeylogger
C:\Users\Admin\AppData\Local\Tempwinlogon.exe	family_snakekeylogger
behavioral2/memory/4512-137-0x0000000000EC0000-0x0000000000EE4000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

Processes:

Tempwinlogon.exe

pid process

4512 Tempwinlogon.exe

pid	process
4512	Tempwinlogon.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	wscript.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Tempwinlogon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tempwinlogon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tempwinlogon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tempwinlogon.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Tempwinlogon.exe

pid process

4512 Tempwinlogon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Tempwinlogon.exe

description pid process

Token: SeDebugPrivilege 4512 Tempwinlogon.exe

flow	ioc
7	checkip.dyndns.org

pid	process
4512	Tempwinlogon.exe

description	pid	process
Token: SeDebugPrivilege	4512	Tempwinlogon.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 4836 wrote to memory of 4640	4836	wscript.exe	wscript.exe
PID 4836 wrote to memory of 4640	4836	wscript.exe	wscript.exe
PID 4836 wrote to memory of 4628	4836	wscript.exe	wscript.exe
PID 4836 wrote to memory of 4628	4836	wscript.exe	wscript.exe
PID 4628 wrote to memory of 4512	4628	wscript.exe	Tempwinlogon.exe
PID 4628 wrote to memory of 4512	4628	wscript.exe	Tempwinlogon.exe
PID 4628 wrote to memory of 4512	4628	wscript.exe	Tempwinlogon.exe

outlook_office_path 1 IoCs

Processes:

Tempwinlogon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tempwinlogon.exe

outlook_win_path 1 IoCs

Processes:

Tempwinlogon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tempwinlogon.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Important document.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ekWBdaOMUA.js"
2⤵
PID:4640

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\aluko.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aluko.vbs
Filesize
251KB

MD5
3a36942126879effa3fe26d9926a9147

SHA1
3306b784f856c3a06ce479b6579b15c649ded9ba

SHA256
ee6e33b54aff072022738b14557bf1f57854248fcc02b00e76b67d85a3209d59

SHA512
8f8f6cdb0df4e17c38abe13dc69917ea01d2962777b41f8ab4afe86e954539e8559f56d8c30267677978964d6cb6a4d572c7055379b9fcd369c95a730ade897a

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
125KB

MD5
1a676d0a6d36706780d39e0ce407b07c

SHA1
7a160008f83d47c8aaac4217d215dc7d7fe3c8be

SHA256
457344c8d0d3d4b3d1b82f7de9bcb8d275195d2426ff8e1173bd35450d267c38

SHA512
705b5d5ea3a08abe6eb43290e60f683453cddef7c6930818513bec1da6e660dd24bd8aa88587006a0a8629db7c21960d5e5e80f5927fc63435e64fa847d55088

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
125KB

MD5
1a676d0a6d36706780d39e0ce407b07c

SHA1
7a160008f83d47c8aaac4217d215dc7d7fe3c8be

SHA256
457344c8d0d3d4b3d1b82f7de9bcb8d275195d2426ff8e1173bd35450d267c38

SHA512
705b5d5ea3a08abe6eb43290e60f683453cddef7c6930818513bec1da6e660dd24bd8aa88587006a0a8629db7c21960d5e5e80f5927fc63435e64fa847d55088

Download Submit
C:\Users\Admin\AppData\Roaming\ekWBdaOMUA.js
Filesize
18KB

MD5
e445aa72496efa7c501b9e4d24603a07

SHA1
6a6a3ee3e023cf5a10f6ad0dc91d309ec38d4fd8

SHA256
695dff9c08fd7338e8cc6ce54316e4afc68325e46aa2a1980160efdcbaf910d7

SHA512
590fbd7ac17785556fece5962cac0d21342775785f73f040bded06bbf16e4b0c72d13d3be4b3766a09ec00944c925782b36ce408883a1b9cac0094bf8978e30c

Download Submit
memory/4512-134-0x0000000000000000-mapping.dmp

Download
memory/4512-137-0x0000000000EC0000-0x0000000000EE4000-memory.dmp

Filesize
144KB

Download
memory/4512-138-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/4512-139-0x00000000058E0000-0x000000000597C000-memory.dmp

Filesize
624KB

Download
memory/4512-140-0x0000000006D10000-0x0000000006ED2000-memory.dmp

Filesize
1.8MB

Download
memory/4512-141-0x0000000006EE0000-0x0000000006F72000-memory.dmp

Filesize
584KB

Download
memory/4512-142-0x0000000006C90000-0x0000000006C9A000-memory.dmp

Filesize
40KB

Download
memory/4628-131-0x0000000000000000-mapping.dmp

Download
memory/4640-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads