snakekeylogger | b0d13254f457837743f01ea116e6c8086f418221fe5619d9baf5db806fbe54b3

General

Target

BELL210 AND ALLOUETTE III.js
Size

8.8MB
MD5

dfb37335684d81ea565f5281c9a799e4
SHA1

ba58fc83b2a10b111c6db6ae31ee03cfd201b8fc
SHA256

e5a333dae12ac8664bcc0bd12b991ec8095256e4aaf15f6afeb5b014e70146ed
SHA512

e055886a61b86402a3ed136fa33bda70106b6904e4c2b4a6b1f685923c281f2f1a66ee1dea0f589f7b0de52498d40b56825a892c09effbbabd527bd72825433b
SSDEEP

3072:AiePnmJZBc9hVWQlxlclBwd0PGGGUSJREQX4ULG9LbuewHVP3eJuR0RfuzkQYhsY:V

Score

10^/10

snakekeylogger vjw0rm keylogger stealer trojan worm

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5958393772:AAGyX-afxRqNUOVdPT528XtfkgekWKm1kNE/sendMessage?chat_id=1407227065

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012308-59.dat	family_snakekeylogger
behavioral1/files/0x000a000000012308-60.dat	family_snakekeylogger
behavioral1/memory/556-61-0x0000000000B20000-0x0000000000B46000-memory.dmp	family_snakekeylogger
behavioral1/files/0x000a000000012308-67.dat	family_snakekeylogger
behavioral1/files/0x000a000000012308-66.dat	family_snakekeylogger
behavioral1/files/0x000a000000012308-65.dat	family_snakekeylogger
behavioral1/files/0x000a000000012308-64.dat	family_snakekeylogger
behavioral1/files/0x000a000000012308-68.dat	family_snakekeylogger

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 13 IoCs

flow	pid	Process
6	932	wscript.exe
9	932	wscript.exe
10	932	wscript.exe
12	932	wscript.exe
14	932	wscript.exe
15	932	wscript.exe
17	932	wscript.exe
19	932	wscript.exe
20	932	wscript.exe
23	932	wscript.exe
24	932	wscript.exe
25	932	wscript.exe
27	932	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBFewEVTLk.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBFewEVTLk.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
556	DUTYGRACE1.exe

Loads dropped DLL 5 IoCs

pid	Process
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	checkip.dyndns.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1400	556	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
556	DUTYGRACE1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	DUTYGRACE1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 932	1352	wscript.exe	28
PID 1352 wrote to memory of 932	1352	wscript.exe	28
PID 1352 wrote to memory of 932	1352	wscript.exe	28
PID 1352 wrote to memory of 556	1352	wscript.exe	30
PID 1352 wrote to memory of 556	1352	wscript.exe	30
PID 1352 wrote to memory of 556	1352	wscript.exe	30
PID 1352 wrote to memory of 556	1352	wscript.exe	30
PID 556 wrote to memory of 1400	556	DUTYGRACE1.exe	36
PID 556 wrote to memory of 1400	556	DUTYGRACE1.exe	36
PID 556 wrote to memory of 1400	556	DUTYGRACE1.exe	36
PID 556 wrote to memory of 1400	556	DUTYGRACE1.exe	36

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\BELL210 AND ALLOUETTE III.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QBFewEVTLk.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:932
- C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe
  "C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1052
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe

Filesize
127KB

MD5
0f6feb76652ce94eb9f69ca25996ff0c

SHA1
30aef62f9aeff234e5a751bb7bcdd91f90edbefb

SHA256
2b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7

SHA512
910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62

Download Submit
C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe

Filesize
127KB

MD5
0f6feb76652ce94eb9f69ca25996ff0c

SHA1
30aef62f9aeff234e5a751bb7bcdd91f90edbefb

SHA256
2b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7

SHA512
910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62

Download Submit
C:\Users\Admin\AppData\Roaming\QBFewEVTLk.js

Filesize
1.1MB

MD5
893f41a7e7737649381e8f4992a1dff6

SHA1
2b3c8f5cd84b1f4ef28568fe9b45ed5f86144ab4

SHA256
71ace751f1e01a97aa5fef9ac924d0f2c6aeb7b1788d25ea47e069b13c0b85a3

SHA512
1145852ccc47ba5f608fbb771b01623cb2dd74d64a34e0cd8e29647fa3c34f8bbaa456c29d0fe906aa85899fd8d2eae46fb32e65e9e11586c1e11bfd9944834f

Download Submit
\Users\Admin\AppData\Roaming\DUTYGRACE1.exe

Filesize
127KB

MD5
0f6feb76652ce94eb9f69ca25996ff0c

SHA1
30aef62f9aeff234e5a751bb7bcdd91f90edbefb

SHA256
2b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7

SHA512
910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62

Download Submit
\Users\Admin\AppData\Roaming\DUTYGRACE1.exe

Filesize
127KB

MD5
0f6feb76652ce94eb9f69ca25996ff0c

SHA1
30aef62f9aeff234e5a751bb7bcdd91f90edbefb

SHA256
2b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7

SHA512
910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62

Download Submit
\Users\Admin\AppData\Roaming\DUTYGRACE1.exe

Filesize
127KB

MD5
0f6feb76652ce94eb9f69ca25996ff0c

SHA1
30aef62f9aeff234e5a751bb7bcdd91f90edbefb

SHA256
2b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7

SHA512
910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62

Download Submit
\Users\Admin\AppData\Roaming\DUTYGRACE1.exe

Filesize
127KB

MD5
0f6feb76652ce94eb9f69ca25996ff0c

SHA1
30aef62f9aeff234e5a751bb7bcdd91f90edbefb

SHA256
2b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7

SHA512
910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62

Download Submit
\Users\Admin\AppData\Roaming\DUTYGRACE1.exe

Filesize
127KB

MD5
0f6feb76652ce94eb9f69ca25996ff0c

SHA1
30aef62f9aeff234e5a751bb7bcdd91f90edbefb

SHA256
2b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7

SHA512
910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62

Download Submit
memory/556-62-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/556-61-0x0000000000B20000-0x0000000000B46000-memory.dmp

Filesize
152KB

Download
memory/1352-54-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing