snakekeylogger | 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4

General

Target

085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe
Size

304KB
MD5

018ccb52b75e10cd4a45aa22aa7b2342
SHA1

7f0033b4a3958e14d1959555bbfbd58e667d460b
SHA256

085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4
SHA512

13497efa83635329a0381f5e447bd47bd29bf7d1634c3909cb0537148d54e348c1455faa6b0246365d165eb1626a65a21acd410d70309ba40bfd6f73ef4c1e8f
SSDEEP

6144:hnPdudwDvX6XTt3LWygobl2qgZbyWI2ku6nQ+i1ic3OYBsXA7L:hnPdj6ZKygjq0IZnK1wYMy

Score

10^/10

snakekeylogger collection keylogger persistence spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1708-11-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1708-15-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1708-16-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1708-18-0x0000000000940000-0x0000000000980000-memory.dmp	family_snakekeylogger
behavioral1/memory/1708-19-0x00000000003D0000-0x00000000003F4000-memory.dmp	family_snakekeylogger
behavioral1/memory/1708-20-0x0000000000940000-0x0000000000980000-memory.dmp	family_snakekeylogger
behavioral1/memory/1708-21-0x0000000000940000-0x0000000000980000-memory.dmp	family_snakekeylogger
behavioral1/memory/1708-23-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

Processes:

rjxul.exerjxul.exe

pid process

2696 rjxul.exe
1708 rjxul.exe
Loads dropped DLL 2 IoCs

Processes:

085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exerjxul.exe

pid process

2420 085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe
2696 rjxul.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2696	rjxul.exe
1708	rjxul.exe

pid	process
2420	085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe
2696	rjxul.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rjxul.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rjxul.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rjxul.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rjxul.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rjxul.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\ooxhhclluq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\ppyueenjjs.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rjxul.exe\" "	rjxul.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rjxul.exe

description pid process target process

PID 2696 set thread context of 1708 2696 rjxul.exe rjxul.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rjxul.exe

pid process

1708 rjxul.exe
1708 rjxul.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rjxul.exe

pid process

2696 rjxul.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rjxul.exe

description pid process

Token: SeDebugPrivilege 1708 rjxul.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 2696 set thread context of 1708	2696	rjxul.exe	rjxul.exe

pid	process
1708	rjxul.exe
1708	rjxul.exe

pid	process
2696	rjxul.exe

description	pid	process
Token: SeDebugPrivilege	1708	rjxul.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exerjxul.exe

description	pid	process	target process
PID 2420 wrote to memory of 2696	2420	085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe	rjxul.exe
PID 2420 wrote to memory of 2696	2420	085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe	rjxul.exe
PID 2420 wrote to memory of 2696	2420	085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe	rjxul.exe
PID 2420 wrote to memory of 2696	2420	085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe	rjxul.exe
PID 2696 wrote to memory of 1708	2696	rjxul.exe	rjxul.exe
PID 2696 wrote to memory of 1708	2696	rjxul.exe	rjxul.exe
PID 2696 wrote to memory of 1708	2696	rjxul.exe	rjxul.exe
PID 2696 wrote to memory of 1708	2696	rjxul.exe	rjxul.exe
PID 2696 wrote to memory of 1708	2696	rjxul.exe	rjxul.exe

outlook_office_path 1 IoCs

Processes:

rjxul.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rjxul.exe

outlook_win_path 1 IoCs

Processes:

rjxul.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rjxul.exe

C:\Users\Admin\AppData\Local\Temp\085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\rjxul.exe
"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\rjxul.exe
"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clwdnbpwhtp.z

Filesize
223KB

MD5
7d27db2a5bfe2a656deb5c058c11e895

SHA1
a984084e6c172afe7e74e1aad336da5e18d1f6ca

SHA256
18a3419e49235789b45d28cd7c237f0ed01b951d59be06d69be7b2885b39df3e

SHA512
a2faaf0c5f76a36c46cfd4b044d01d6310d30bdd34ec87737efd3612461df2356a641b296abfb04b8f1a734a1269cc66fe01fc5c04ad7ec943cf034ce6e39526

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
\Users\Admin\AppData\Local\Temp\rjxul.exe

Filesize
179KB

MD5
f349989874895162828483b02560076a

SHA1
65511ebe6f6d198644015e8dc381c4f4ee2ee850

SHA256
dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

SHA512
7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

Download Submit
memory/1708-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-11-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-17-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1708-18-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/1708-19-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1708-20-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/1708-21-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/1708-22-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/1708-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-24-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1708-25-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2696-6-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads