snakekeylogger | 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4

General

Target

018ccb52b75e10cd4a45aa22aa7b2342.exe
Size

304KB
MD5

018ccb52b75e10cd4a45aa22aa7b2342
SHA1

7f0033b4a3958e14d1959555bbfbd58e667d460b
SHA256

085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4
SHA512

13497efa83635329a0381f5e447bd47bd29bf7d1634c3909cb0537148d54e348c1455faa6b0246365d165eb1626a65a21acd410d70309ba40bfd6f73ef4c1e8f
SSDEEP

6144:hnPdudwDvX6XTt3LWygobl2qgZbyWI2ku6nQ+i1ic3OYBsXA7L:hnPdj6ZKygjq0IZnK1wYMy

Score

10^/10

snakekeylogger keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
posta.ni.net.tr
Port:
587
Username:
[email protected]
Password:
nilya1957
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2440-19-0x00000000001E0000-0x0000000000204000-memory.dmp	family_snakekeylogger
behavioral1/memory/2440-18-0x0000000004A00000-0x0000000004A40000-memory.dmp	family_snakekeylogger
behavioral1/memory/2440-16-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/2440-15-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/2440-11-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/2440-22-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

Processes:

rjxul.exerjxul.exe

pid process

2240 rjxul.exe
2440 rjxul.exe
Loads dropped DLL 2 IoCs

Processes:

018ccb52b75e10cd4a45aa22aa7b2342.exerjxul.exe

pid process

2208 018ccb52b75e10cd4a45aa22aa7b2342.exe
2240 rjxul.exe

pid	process
2240	rjxul.exe
2440	rjxul.exe

pid	process
2208	018ccb52b75e10cd4a45aa22aa7b2342.exe
2240	rjxul.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rjxul.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\ooxhhclluq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\ppyueenjjs.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rjxul.exe\" "	rjxul.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rjxul.exe

description pid process target process

PID 2240 set thread context of 2440 2240 rjxul.exe rjxul.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rjxul.exe

pid process

2440 rjxul.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rjxul.exe

pid process

2240 rjxul.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rjxul.exe

description pid process

Token: SeDebugPrivilege 2440 rjxul.exe

flow	ioc
2	checkip.dyndns.org

description	pid	process	target process
PID 2240 set thread context of 2440	2240	rjxul.exe	rjxul.exe

pid	process
2440	rjxul.exe

pid	process
2240	rjxul.exe

description	pid	process
Token: SeDebugPrivilege	2440	rjxul.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

018ccb52b75e10cd4a45aa22aa7b2342.exerjxul.exe

description	pid	process	target process
PID 2208 wrote to memory of 2240	2208	018ccb52b75e10cd4a45aa22aa7b2342.exe	rjxul.exe
PID 2208 wrote to memory of 2240	2208	018ccb52b75e10cd4a45aa22aa7b2342.exe	rjxul.exe
PID 2208 wrote to memory of 2240	2208	018ccb52b75e10cd4a45aa22aa7b2342.exe	rjxul.exe
PID 2208 wrote to memory of 2240	2208	018ccb52b75e10cd4a45aa22aa7b2342.exe	rjxul.exe
PID 2240 wrote to memory of 2440	2240	rjxul.exe	rjxul.exe
PID 2240 wrote to memory of 2440	2240	rjxul.exe	rjxul.exe
PID 2240 wrote to memory of 2440	2240	rjxul.exe	rjxul.exe
PID 2240 wrote to memory of 2440	2240	rjxul.exe	rjxul.exe
PID 2240 wrote to memory of 2440	2240	rjxul.exe	rjxul.exe

C:\Users\Admin\AppData\Local\Temp\rjxul.exe
"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Local\Temp\rjxul.exe
"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe
"C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clwdnbpwhtp.z

Filesize
223KB

MD5
7d27db2a5bfe2a656deb5c058c11e895

SHA1
a984084e6c172afe7e74e1aad336da5e18d1f6ca

SHA256
18a3419e49235789b45d28cd7c237f0ed01b951d59be06d69be7b2885b39df3e

SHA512
a2faaf0c5f76a36c46cfd4b044d01d6310d30bdd34ec87737efd3612461df2356a641b296abfb04b8f1a734a1269cc66fe01fc5c04ad7ec943cf034ce6e39526

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
memory/2240-6-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/2440-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2440-20-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2440-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2440-21-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2440-17-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-18-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2440-19-0x00000000001E0000-0x0000000000204000-memory.dmp

Filesize
144KB

Download
memory/2440-11-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2440-22-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2440-23-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-24-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2440-25-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2440-26-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2440-27-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads