snakekeylogger | 25449e29a38dc9c7b102b263b6c076a8b45ac2d2149c336ed9c885cd41905a8c

General

Target

1152d04aafc683d5408838287483364d_JaffaCakes118.exe
Size

646KB
MD5

1152d04aafc683d5408838287483364d
SHA1

61c4ea03c225fe0124419614f16e3709f9ec4700
SHA256

25449e29a38dc9c7b102b263b6c076a8b45ac2d2149c336ed9c885cd41905a8c
SHA512

f00003cbdf7b8131466f7b14426559af027a93d97020fb00572303f4600f285d8f1aeff9ccf1540d7255f5049ce56d285f70343b157c18567e75caaabbbe0208
SSDEEP

12288:XB6jih7jqCKRGm8ec388qtZTKC/aJUxiAmN11K2:XB0o88B3PqtJ/aJPAmxK2

Score

10^/10

snakekeylogger keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.oceanskylogistics.in
Port:
587
Username:
[email protected]
Password:
Oce@n@1234
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3016-12-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/3016-14-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/3016-16-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/3016-22-0x0000000001F90000-0x0000000001FD0000-memory.dmp	family_snakekeylogger

Loads dropped DLL 2 IoCs

Processes:

1152d04aafc683d5408838287483364d_JaffaCakes118.exe

pid process

2000 1152d04aafc683d5408838287483364d_JaffaCakes118.exe
2000 1152d04aafc683d5408838287483364d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1152d04aafc683d5408838287483364d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnrqjkbppaysnv = "C:\\Users\\Admin\\AppData\\Roaming\\ngpxmaxsn\\lguergtka.exe"	1152d04aafc683d5408838287483364d_JaffaCakes118.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
6 freegeoip.app
7 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

1152d04aafc683d5408838287483364d_JaffaCakes118.exe

description pid process target process

PID 2000 set thread context of 3016 2000 1152d04aafc683d5408838287483364d_JaffaCakes118.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	checkip.dyndns.org
6	freegeoip.app
7	freegeoip.app

description	pid	process	target process
PID 2000 set thread context of 3016	2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

1152d04aafc683d5408838287483364d_JaffaCakes118.exeMSBuild.exe

pid	process
2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe
2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe
2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe
2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe
3016	MSBuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1152d04aafc683d5408838287483364d_JaffaCakes118.exe

pid process

2000 1152d04aafc683d5408838287483364d_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 3016 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3016	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1152d04aafc683d5408838287483364d_JaffaCakes118.exeMSBuild.exe

description	pid	process	target process
PID 2000 wrote to memory of 3016	2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe	MSBuild.exe
PID 2000 wrote to memory of 3016	2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe	MSBuild.exe
PID 2000 wrote to memory of 3016	2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe	MSBuild.exe
PID 2000 wrote to memory of 3016	2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe	MSBuild.exe
PID 2000 wrote to memory of 3016	2000	1152d04aafc683d5408838287483364d_JaffaCakes118.exe	MSBuild.exe
PID 3016 wrote to memory of 2032	3016	MSBuild.exe	dw20.exe
PID 3016 wrote to memory of 2032	3016	MSBuild.exe	dw20.exe
PID 3016 wrote to memory of 2032	3016	MSBuild.exe	dw20.exe
PID 3016 wrote to memory of 2032	3016	MSBuild.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\1152d04aafc683d5408838287483364d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1152d04aafc683d5408838287483364d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\1152d04aafc683d5408838287483364d_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 588
    3⤵
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy2ACA.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/2032-20-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3016-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3016-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3016-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3016-17-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-19-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-18-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/3016-21-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-22-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads