Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
1152d04aafc683d5408838287483364d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1152d04aafc683d5408838287483364d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
1152d04aafc683d5408838287483364d_JaffaCakes118.exe
-
Size
646KB
-
MD5
1152d04aafc683d5408838287483364d
-
SHA1
61c4ea03c225fe0124419614f16e3709f9ec4700
-
SHA256
25449e29a38dc9c7b102b263b6c076a8b45ac2d2149c336ed9c885cd41905a8c
-
SHA512
f00003cbdf7b8131466f7b14426559af027a93d97020fb00572303f4600f285d8f1aeff9ccf1540d7255f5049ce56d285f70343b157c18567e75caaabbbe0208
-
SSDEEP
12288:XB6jih7jqCKRGm8ec388qtZTKC/aJUxiAmN11K2:XB0o88B3PqtJ/aJPAmxK2
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.oceanskylogistics.in - Port:
587 - Username:
[email protected] - Password:
Oce@n@1234 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3948-12-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger -
Loads dropped DLL 2 IoCs
Processes:
1152d04aafc683d5408838287483364d_JaffaCakes118.exepid process 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1152d04aafc683d5408838287483364d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xnrqjkbppaysnv = "C:\\Users\\Admin\\AppData\\Roaming\\ngpxmaxsn\\lguergtka.exe" 1152d04aafc683d5408838287483364d_JaffaCakes118.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org 13 freegeoip.app 14 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1152d04aafc683d5408838287483364d_JaffaCakes118.exedescription pid process target process PID 5036 set thread context of 3948 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2212 5036 WerFault.exe 1152d04aafc683d5408838287483364d_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
1152d04aafc683d5408838287483364d_JaffaCakes118.exeMSBuild.exepid process 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe 3948 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1152d04aafc683d5408838287483364d_JaffaCakes118.exepid process 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MSBuild.exedw20.exedescription pid process Token: SeDebugPrivilege 3948 MSBuild.exe Token: SeBackupPrivilege 5044 dw20.exe Token: SeBackupPrivilege 5044 dw20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
1152d04aafc683d5408838287483364d_JaffaCakes118.exeMSBuild.exedescription pid process target process PID 5036 wrote to memory of 3948 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe MSBuild.exe PID 5036 wrote to memory of 3948 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe MSBuild.exe PID 5036 wrote to memory of 3948 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe MSBuild.exe PID 5036 wrote to memory of 3948 5036 1152d04aafc683d5408838287483364d_JaffaCakes118.exe MSBuild.exe PID 3948 wrote to memory of 5044 3948 MSBuild.exe dw20.exe PID 3948 wrote to memory of 5044 3948 MSBuild.exe dw20.exe PID 3948 wrote to memory of 5044 3948 MSBuild.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1152d04aafc683d5408838287483364d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1152d04aafc683d5408838287483364d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\1152d04aafc683d5408838287483364d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 17563⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 8762⤵
- Program crash
PID:2212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 50361⤵PID:3836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nst37BB.tmp\System.dllFilesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/3948-12-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3948-13-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB
-
memory/3948-14-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB
-
memory/3948-15-0x0000000001580000-0x0000000001590000-memory.dmpFilesize
64KB
-
memory/3948-22-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB