snakekeylogger | fcc4c935f6f38fdf9627ac990daa904194fd82410fac6c91d048c837d5190d86

General

Target

hesaphareketi-01.pdf.exe
Size

448KB
MD5

70d0d83b5d6d7fb5e5e3632bfb7521aa
SHA1

040e1622566652109964456a3af18e866c9da686
SHA256

fcc4c935f6f38fdf9627ac990daa904194fd82410fac6c91d048c837d5190d86
SHA512

d2890e009971d6d028426cd4267826d41fbc1145e81c3442c1d854c8bb05c2d8735074777b6b075041104ac09561fb6ae9dee5c5d9da362ee653671e03ea358e
SSDEEP

6144:SYa6H/tWlDPkRUB/1k7oOP4mdQVdEenj9G/k/UVNrqqHax:SYd/tUkUBywJZG8/S/6

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1532-147-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger

Executes dropped EXE 5 IoCs

pid	Process
1216	oolij.exe
2368	oolij.exe
1624	oolij.exe
1764	oolij.exe
1532	oolij.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	oolij.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	oolij.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	oolij.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 1532	1216	oolij.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	oolij.exe
1532	oolij.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1216	oolij.exe
1216	oolij.exe
1216	oolij.exe
1216	oolij.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	oolij.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1216	964	hesaphareketi-01.pdf.exe	82
PID 964 wrote to memory of 1216	964	hesaphareketi-01.pdf.exe	82
PID 964 wrote to memory of 1216	964	hesaphareketi-01.pdf.exe	82
PID 1216 wrote to memory of 2368	1216	oolij.exe	83
PID 1216 wrote to memory of 2368	1216	oolij.exe	83
PID 1216 wrote to memory of 2368	1216	oolij.exe	83
PID 1216 wrote to memory of 1624	1216	oolij.exe	84
PID 1216 wrote to memory of 1624	1216	oolij.exe	84
PID 1216 wrote to memory of 1624	1216	oolij.exe	84
PID 1216 wrote to memory of 1764	1216	oolij.exe	85
PID 1216 wrote to memory of 1764	1216	oolij.exe	85
PID 1216 wrote to memory of 1764	1216	oolij.exe	85
PID 1216 wrote to memory of 1532	1216	oolij.exe	86
PID 1216 wrote to memory of 1532	1216	oolij.exe	86
PID 1216 wrote to memory of 1532	1216	oolij.exe	86
PID 1216 wrote to memory of 1532	1216	oolij.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	oolij.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	oolij.exe

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Users\Admin\AppData\Local\Temp\oolij.exe
  "C:\Users\Admin\AppData\Local\Temp\oolij.exe" C:\Users\Admin\AppData\Local\Temp\xvwiscty.wv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\oolij.exe
    "C:\Users\Admin\AppData\Local\Temp\oolij.exe"
    3⤵
    - Executes dropped EXE
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\oolij.exe
    "C:\Users\Admin\AppData\Local\Temp\oolij.exe"
    3⤵
    - Executes dropped EXE
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\oolij.exe
    "C:\Users\Admin\AppData\Local\Temp\oolij.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\oolij.exe
    "C:\Users\Admin\AppData\Local\Temp\oolij.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mzsughaoi.q

Filesize
225KB

MD5
708f9d6d32d86d8afaf725ce3320e371

SHA1
852c73c06d74d4194de8d021929283564a9b123f

SHA256
2b805873b1b2669742e324ceaa3881090accca751484fbf6d921295f3da6d1de

SHA512
e6c622c91402cafd592b980560c6ed58ff5b80a1b1ed6313de97c0a721d1fbeedf03b98b0b8352cb200c4cf681a9b3aaf0e382d4aea80340a1debe4c3a61fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oolij.exe

Filesize
139KB

MD5
2273a7f409d6a005d9697594e1d353d6

SHA1
15be90fcca12c6bc7e3220806d5c3976f6d19934

SHA256
a80e5748a001a0c72f25849499ce23dc311dc02fd000d79fb1e70872b3f5a816

SHA512
a297c77210b39582a0ca54b13ffe5a8d96d35216a4ccace82faf0f1dfaa9e0b46477436941b8ef9dfbef659fa278ed698ecc87fc901e499da3ab8584d5ebd7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oolij.exe

Filesize
139KB

MD5
2273a7f409d6a005d9697594e1d353d6

SHA1
15be90fcca12c6bc7e3220806d5c3976f6d19934

SHA256
a80e5748a001a0c72f25849499ce23dc311dc02fd000d79fb1e70872b3f5a816

SHA512
a297c77210b39582a0ca54b13ffe5a8d96d35216a4ccace82faf0f1dfaa9e0b46477436941b8ef9dfbef659fa278ed698ecc87fc901e499da3ab8584d5ebd7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oolij.exe

Filesize
139KB

MD5
2273a7f409d6a005d9697594e1d353d6

SHA1
15be90fcca12c6bc7e3220806d5c3976f6d19934

SHA256
a80e5748a001a0c72f25849499ce23dc311dc02fd000d79fb1e70872b3f5a816

SHA512
a297c77210b39582a0ca54b13ffe5a8d96d35216a4ccace82faf0f1dfaa9e0b46477436941b8ef9dfbef659fa278ed698ecc87fc901e499da3ab8584d5ebd7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oolij.exe

Filesize
139KB

MD5
2273a7f409d6a005d9697594e1d353d6

SHA1
15be90fcca12c6bc7e3220806d5c3976f6d19934

SHA256
a80e5748a001a0c72f25849499ce23dc311dc02fd000d79fb1e70872b3f5a816

SHA512
a297c77210b39582a0ca54b13ffe5a8d96d35216a4ccace82faf0f1dfaa9e0b46477436941b8ef9dfbef659fa278ed698ecc87fc901e499da3ab8584d5ebd7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oolij.exe

Filesize
139KB

MD5
2273a7f409d6a005d9697594e1d353d6

SHA1
15be90fcca12c6bc7e3220806d5c3976f6d19934

SHA256
a80e5748a001a0c72f25849499ce23dc311dc02fd000d79fb1e70872b3f5a816

SHA512
a297c77210b39582a0ca54b13ffe5a8d96d35216a4ccace82faf0f1dfaa9e0b46477436941b8ef9dfbef659fa278ed698ecc87fc901e499da3ab8584d5ebd7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oolij.exe

Filesize
139KB

MD5
2273a7f409d6a005d9697594e1d353d6

SHA1
15be90fcca12c6bc7e3220806d5c3976f6d19934

SHA256
a80e5748a001a0c72f25849499ce23dc311dc02fd000d79fb1e70872b3f5a816

SHA512
a297c77210b39582a0ca54b13ffe5a8d96d35216a4ccace82faf0f1dfaa9e0b46477436941b8ef9dfbef659fa278ed698ecc87fc901e499da3ab8584d5ebd7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvwiscty.wv

Filesize
5KB

MD5
a92c5cc7f8834bdfd2e5d59f24b11dc4

SHA1
39686349be1ae96120dd7e8a4dd43b17cc79378f

SHA256
3021d3f71759850a8dbb841d43a16942e2df0f45a0dfbd87408c640df4adc0c4

SHA512
87a62c9f6db22caeb69f6ceac5bed117a3128b7c837175c555fcb5a72db5496892c26c7a79b7d523e6fcb81e2a6112e111e8f71cb8b80d804873dece6bb2faa5

Download Submit
memory/1532-145-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/1532-146-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

Filesize
624KB

Download
memory/1532-147-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1532-148-0x00000000061F0000-0x00000000063B2000-memory.dmp

Filesize
1.8MB

Download
memory/1532-149-0x00000000060C0000-0x0000000006152000-memory.dmp

Filesize
584KB

Download
memory/1532-150-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing