General

  • Target

    P20221003.10-03-22.pdf.exe

  • Size

    800KB

  • Sample

    221003-jptf5sfdcl

  • MD5

    1d6ae298785d1bf86b6f6ee0444bf2e1

  • SHA1

    1da339188e32284ac3ad994d0eabb8cefee51e3c

  • SHA256

    9cad0a5b9895504044ad8a18086d5ef9a5ad3d48d83cfbe7f216b596ed0a8716

  • SHA512

    6b67b82b3fa6067803c4bef7e2ff27a143f693439926bfed1c297a89fb9a43179b1dc46c6f63c3331ec3f91dd172cd04bc22231342b463ca783973b3ba4be258

  • SSDEEP

    12288:GK4HTN24WqmpOvD++3hRfSmAeQAm/X6CLsskQ++A:XpPQR8AmyCmQ++A

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ckjksb.com
  • Port:
    587
  • Username:
    jannah@ckjksb.com
  • Password:
    123@ckjksb456
  • Email To:
    aguzziisnc@gmail.com

Targets

    • Target

      P20221003.10-03-22.pdf.exe

    • Size

      800KB

    • MD5

      1d6ae298785d1bf86b6f6ee0444bf2e1

    • SHA1

      1da339188e32284ac3ad994d0eabb8cefee51e3c

    • SHA256

      9cad0a5b9895504044ad8a18086d5ef9a5ad3d48d83cfbe7f216b596ed0a8716

    • SHA512

      6b67b82b3fa6067803c4bef7e2ff27a143f693439926bfed1c297a89fb9a43179b1dc46c6f63c3331ec3f91dd172cd04bc22231342b463ca783973b3ba4be258

    • SSDEEP

      12288:GK4HTN24WqmpOvD++3hRfSmAeQAm/X6CLsskQ++A:XpPQR8AmyCmQ++A

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks