Overview

overview

10

Static

static

3

1152d04aaf...18.exe

windows7-x64

10

1152d04aaf...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1152d04aafc683d5408838287483364d_JaffaCakes118

  • Size

    646KB

  • Sample

    240328-11g1xsae48

  • MD5

    1152d04aafc683d5408838287483364d

  • SHA1

    61c4ea03c225fe0124419614f16e3709f9ec4700

  • SHA256

    25449e29a38dc9c7b102b263b6c076a8b45ac2d2149c336ed9c885cd41905a8c

  • SHA512

    f00003cbdf7b8131466f7b14426559af027a93d97020fb00572303f4600f285d8f1aeff9ccf1540d7255f5049ce56d285f70343b157c18567e75caaabbbe0208

  • SSDEEP

    12288:XB6jih7jqCKRGm8ec388qtZTKC/aJUxiAmN11K2:XB0o88B3PqtJ/aJPAmxK2

Score
10/10
snakekeyloggerkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.oceanskylogistics.in
  • Port:
    587
  • Username:
    export@oceanskylogistics.in
  • Password:
    Oce@n@1234
  • Email To:
    sameh.mohamed404@yandex.com

Targets

    • Target

      1152d04aafc683d5408838287483364d_JaffaCakes118

    • Size

      646KB

    • MD5

      1152d04aafc683d5408838287483364d

    • SHA1

      61c4ea03c225fe0124419614f16e3709f9ec4700

    • SHA256

      25449e29a38dc9c7b102b263b6c076a8b45ac2d2149c336ed9c885cd41905a8c

    • SHA512

      f00003cbdf7b8131466f7b14426559af027a93d97020fb00572303f4600f285d8f1aeff9ccf1540d7255f5049ce56d285f70343b157c18567e75caaabbbe0208

    • SSDEEP

      12288:XB6jih7jqCKRGm8ec388qtZTKC/aJUxiAmN11K2:XB0o88B3PqtJ/aJPAmxK2

    Score
    10/10
    snakekeyloggerkeyloggerpersistencestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

    • SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    • SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    • SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    • SSDEEP

      192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks