snakekeylogger | 9bcda9f3c4d2080696f278d4a7cd828c652136925747983a5314ba0a2d991e77

General

Target

scan copy.jar
Size

1.2MB
MD5

7a9f52bf41ae0b6bb82828c1249f954d
SHA1

7a0755477f5523fce6c3333fff0c4f69902248e7
SHA256

9bcda9f3c4d2080696f278d4a7cd828c652136925747983a5314ba0a2d991e77
SHA512

ef865a969c6be89ea09379dd5ea2dec23a0f0a809d90bcf56c50d926ff1578a4e13e70bb9a17c6dfc218af8d74616652c39577bc816da286592884e10efe1204
SSDEEP

24576:j7vOMeCeCtD+pJ5XSUPHXz9+CtD+pJ5XSUPHXz9r:jrO9CC5XRY5XRV

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.bhojwanindia.com
Port:
587
Username:
[email protected]
Password:
bombayoffice123

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/704-68-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger
behavioral1/memory/704-75-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Executes dropped EXE 3 IoCs

pid	Process
2864	eSXlDXA.exe
2548	F8t1Rr8a.exe
704	eSXlDXA.exe

Loads dropped DLL 7 IoCs

pid	Process
2368	java.exe
2368	java.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 704	2864	eSXlDXA.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2368	java.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2864	2368	java.exe	29
PID 2368 wrote to memory of 2864	2368	java.exe	29
PID 2368 wrote to memory of 2864	2368	java.exe	29
PID 2368 wrote to memory of 2548	2368	java.exe	30
PID 2368 wrote to memory of 2548	2368	java.exe	30
PID 2368 wrote to memory of 2548	2368	java.exe	30
PID 2864 wrote to memory of 2796	2864	eSXlDXA.exe	31
PID 2864 wrote to memory of 2796	2864	eSXlDXA.exe	31
PID 2864 wrote to memory of 2796	2864	eSXlDXA.exe	31
PID 2864 wrote to memory of 2996	2864	eSXlDXA.exe	33
PID 2864 wrote to memory of 2996	2864	eSXlDXA.exe	33
PID 2864 wrote to memory of 2996	2864	eSXlDXA.exe	33
PID 2548 wrote to memory of 1236	2548	F8t1Rr8a.exe	35
PID 2548 wrote to memory of 1236	2548	F8t1Rr8a.exe	35
PID 2548 wrote to memory of 1236	2548	F8t1Rr8a.exe	35
PID 2864 wrote to memory of 704	2864	eSXlDXA.exe	37
PID 2864 wrote to memory of 704	2864	eSXlDXA.exe	37
PID 2864 wrote to memory of 704	2864	eSXlDXA.exe	37
PID 2864 wrote to memory of 704	2864	eSXlDXA.exe	37
PID 2864 wrote to memory of 704	2864	eSXlDXA.exe	37
PID 2864 wrote to memory of 704	2864	eSXlDXA.exe	37
PID 2864 wrote to memory of 704	2864	eSXlDXA.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\scan copy.jar"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\eSXlDXA.exe
  C:\Users\Admin\eSXlDXA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yEvjIxkQ.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yEvjIxkQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC996.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2996
- - C:\Users\Admin\eSXlDXA.exe
    C:\Users\Admin\eSXlDXA.exe
    3⤵
    - Executes dropped EXE
    PID:704
- C:\Users\Admin\F8t1Rr8a.exe
  "C:\Users\Admin\F8t1Rr8a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2548 -s 800
    3⤵
    - Loads dropped DLL
    PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC996.tmp

Filesize
1KB

MD5
5eaafbb536740102b4865a9995a03743

SHA1
d533e50d9ba8849d784e0e80f91122c904d5210f

SHA256
1fb4722b9632bfbc332cb672ef85d797a959d11cddc90f0129ea7f19723a511f

SHA512
3715879ca5ba123c861cf0be6ab1e1dee5f6d4fe01b0125d85fd6700b56299fb6532e527db4f7b060018be5bc6441d199f99ab550a99a572a43c0494e8ec66e8

Download Submit
C:\Users\Admin\eSXlDXA.exe

Filesize
64KB

MD5
04e48200234d8653e3048fd521df47b9

SHA1
ac87856a5f2ef5375875d59d82f9b86215f68b69

SHA256
39a2f3f871504fb0eff9cd59dc56bb41d509c537fdd64ecab674f656a76b7538

SHA512
e47684165631d105722c32ddce06ceae9b177e76331ffadb4b722845c2ab0d3aab5a19bfc3dfa7faef20efbb4d40f1c90293dd2398acab1b219b792ed0f6d33f

Download Submit
\Users\Admin\eSXlDXA.exe

Filesize
554KB

MD5
691bc09438968e76acaeeadb47dc56c7

SHA1
3d75e23758350cd308362c136ace87d336285d06

SHA256
8fe8e5603740c27c08a5a0105ffb0773663f1be552e34bfece616b8a51a6bc35

SHA512
6c5ff89169d05acd92cdd4d5998d0db84958b7f175b146b1dfce490935ee53c505050db3e5c9e454c56684881e8b1447c84a984da7121ad08b15efff3173b582

Download Submit
memory/704-75-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/704-71-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/704-66-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/704-68-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/704-64-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2368-33-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2368-3-0x0000000002550000-0x0000000005550000-memory.dmp

Filesize
48.0MB

Download
memory/2368-35-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2368-39-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2368-40-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2368-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2548-28-0x0000000001280000-0x0000000001310000-memory.dmp

Filesize
576KB

Download
memory/2548-47-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-44-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2548-32-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-48-0x000000001C120000-0x000000001C1A0000-memory.dmp

Filesize
512KB

Download
memory/2796-72-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/2796-67-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/2796-76-0x000007FEEDE60000-0x000007FEEE7FD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-62-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-63-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2796-65-0x000007FEEDE60000-0x000007FEEE7FD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-74-0x0000000002054000-0x0000000002057000-memory.dmp

Filesize
12KB

Download
memory/2796-69-0x000007FEEDE60000-0x000007FEEE7FD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-70-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/2864-31-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/2864-29-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-42-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/2864-30-0x0000000000190000-0x00000000001AA000-memory.dmp

Filesize
104KB

Download
memory/2864-43-0x00000000001B0000-0x00000000001C2000-memory.dmp

Filesize
72KB

Download
memory/2864-46-0x000000001BDF0000-0x000000001BE56000-memory.dmp

Filesize
408KB

Download
memory/2864-45-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2864-17-0x0000000000A40000-0x0000000000AD0000-memory.dmp

Filesize
576KB

Download
memory/2864-41-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-80-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads