snakekeylogger | e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27

General

Target

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Size

2.2MB
MD5

111e78d8cc3e0772ade0782b8365d435
SHA1

c53a394e097c1a7a1fb8d8e53ad850c7f3c0c257
SHA256

e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27
SHA512

64631e4d2e882b48d168cbbcbaf7b90a3dafaa5d2c65cdb5cd6dff16eb005c2ffcede50e7194b0c512d59747e0093c1c2f8de24f64ced0e2cd2011631c0e818a
SSDEEP

12288:0m5iyVP35aWloeBd4gQOBikixnkBkMXuXrY2eXNPnrEdrE:n5iyBF1BxkkiNkBkM+XrYxXN/odo

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
[email protected]
Password:
eC~Z,TG&S9jM
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3028-5-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/3028-6-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/3028-9-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/3028-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/3028-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/3028-15-0x0000000004C20000-0x0000000004C60000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

Processes:

dfxzdg.exedfxzdg.exe

pid process

2556 dfxzdg.exe
2892 dfxzdg.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

1052 WerFault.exe
1052 WerFault.exe
1052 WerFault.exe
1052 WerFault.exe
1052 WerFault.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app
16 freegeoip.app

pid	process
2556	dfxzdg.exe
2892	dfxzdg.exe

pid	process
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app
16	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exe

description	pid	process	target process
PID 2868 set thread context of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2556 set thread context of 2892	2556	dfxzdg.exe	dfxzdg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2452 3028 WerFault.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
1052 2892 WerFault.exe dfxzdg.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2672 schtasks.exe
1528 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exe

pid process

3028 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
2892 dfxzdg.exe

pid	pid_target	process	target process
2452	3028	WerFault.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
1052	2892	WerFault.exe	dfxzdg.exe

pid	process
2672	schtasks.exe
1528	schtasks.exe

pid	process
3028	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
2892	dfxzdg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exedfxzdg.exe

description	pid	process
Token: SeDebugPrivilege	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Token: SeDebugPrivilege	3028	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Token: SeDebugPrivilege	2556	dfxzdg.exe
Token: SeDebugPrivilege	2892	dfxzdg.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.execmd.exetaskeng.exe111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.execmd.exedfxzdg.exe

description	pid	process	target process
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 3028	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2868 wrote to memory of 2728	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2728	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2728	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2728	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2096	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2096	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2096	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2096	2868	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 2728 wrote to memory of 2672	2728	cmd.exe	schtasks.exe
PID 2728 wrote to memory of 2672	2728	cmd.exe	schtasks.exe
PID 2728 wrote to memory of 2672	2728	cmd.exe	schtasks.exe
PID 2728 wrote to memory of 2672	2728	cmd.exe	schtasks.exe
PID 2268 wrote to memory of 2556	2268	taskeng.exe	dfxzdg.exe
PID 2268 wrote to memory of 2556	2268	taskeng.exe	dfxzdg.exe
PID 2268 wrote to memory of 2556	2268	taskeng.exe	dfxzdg.exe
PID 2268 wrote to memory of 2556	2268	taskeng.exe	dfxzdg.exe
PID 3028 wrote to memory of 2452	3028	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	WerFault.exe
PID 3028 wrote to memory of 2452	3028	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	WerFault.exe
PID 3028 wrote to memory of 2452	3028	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	WerFault.exe
PID 3028 wrote to memory of 2452	3028	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	WerFault.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 2892	2556	dfxzdg.exe	dfxzdg.exe
PID 2556 wrote to memory of 1428	2556	dfxzdg.exe	cmd.exe
PID 2556 wrote to memory of 1428	2556	dfxzdg.exe	cmd.exe
PID 2556 wrote to memory of 1428	2556	dfxzdg.exe	cmd.exe
PID 2556 wrote to memory of 1428	2556	dfxzdg.exe	cmd.exe
PID 2556 wrote to memory of 2488	2556	dfxzdg.exe	cmd.exe
PID 2556 wrote to memory of 2488	2556	dfxzdg.exe	cmd.exe
PID 2556 wrote to memory of 2488	2556	dfxzdg.exe	cmd.exe
PID 2556 wrote to memory of 2488	2556	dfxzdg.exe	cmd.exe
PID 1428 wrote to memory of 1528	1428	cmd.exe	schtasks.exe
PID 1428 wrote to memory of 1528	1428	cmd.exe	schtasks.exe
PID 1428 wrote to memory of 1528	1428	cmd.exe	schtasks.exe
PID 1428 wrote to memory of 1528	1428	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 1052	2892	dfxzdg.exe	WerFault.exe
PID 2892 wrote to memory of 1052	2892	dfxzdg.exe	WerFault.exe
PID 2892 wrote to memory of 1052	2892	dfxzdg.exe	WerFault.exe
PID 2892 wrote to memory of 1052	2892	dfxzdg.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1580
3⤵
- Program crash
PID:2452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
PID:2096

C:\Windows\system32\taskeng.exe
taskeng.exe {2761A1ED-5BBE-4EA8-855D-5B70A6EDB7A9} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
"C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1572
4⤵
- Loads dropped DLL
- Program crash
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
3⤵
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
Filesize
2.2MB

MD5
111e78d8cc3e0772ade0782b8365d435

SHA1
c53a394e097c1a7a1fb8d8e53ad850c7f3c0c257

SHA256
e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27

SHA512
64631e4d2e882b48d168cbbcbaf7b90a3dafaa5d2c65cdb5cd6dff16eb005c2ffcede50e7194b0c512d59747e0093c1c2f8de24f64ced0e2cd2011631c0e818a

Download Submit
memory/2556-22-0x0000000005090000-0x00000000050D0000-memory.dmp

Filesize
256KB

Download
memory/2556-20-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-21-0x0000000000960000-0x0000000000B9A000-memory.dmp

Filesize
2.2MB

Download
memory/2556-48-0x0000000005090000-0x00000000050D0000-memory.dmp

Filesize
256KB

Download
memory/2556-47-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-0-0x0000000000B80000-0x0000000000DBA000-memory.dmp

Filesize
2.2MB

Download
memory/2868-2-0x0000000004FE0000-0x0000000005020000-memory.dmp

Filesize
256KB

Download
memory/2868-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-39-0x0000000004FE0000-0x0000000005020000-memory.dmp

Filesize
256KB

Download
memory/2868-37-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2892-50-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2892-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-38-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2892-49-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3028-15-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/3028-14-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3028-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3028-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3028-40-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-41-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/3028-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3028-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3028-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads