snakekeylogger | e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27

General

Target

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Size

2.2MB
MD5

111e78d8cc3e0772ade0782b8365d435
SHA1

c53a394e097c1a7a1fb8d8e53ad850c7f3c0c257
SHA256

e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27
SHA512

64631e4d2e882b48d168cbbcbaf7b90a3dafaa5d2c65cdb5cd6dff16eb005c2ffcede50e7194b0c512d59747e0093c1c2f8de24f64ced0e2cd2011631c0e818a
SSDEEP

12288:0m5iyVP35aWloeBd4gQOBikixnkBkMXuXrY2eXNPnrEdrE:n5iyBF1BxkkiNkBkM+XrYxXN/odo

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
[email protected]
Password:
eC~Z,TG&S9jM
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2712-6-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	dfxzdg.exe

Executes dropped EXE 2 IoCs

Processes:

dfxzdg.exedfxzdg.exe

pid process

2532 dfxzdg.exe
4792 dfxzdg.exe
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 freegeoip.app
52 checkip.dyndns.org
54 freegeoip.app
13 checkip.dyndns.org
15 freegeoip.app

pid	process
2532	dfxzdg.exe
4792	dfxzdg.exe

flow	ioc
16	freegeoip.app
52	checkip.dyndns.org
54	freegeoip.app
13	checkip.dyndns.org
15	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exe

description	pid	process	target process
PID 384 set thread context of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 2532 set thread context of 4792	2532	dfxzdg.exe	dfxzdg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3692 2712 WerFault.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
2100 4792 WerFault.exe dfxzdg.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

212 schtasks.exe
2136 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exe

pid process

2712 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
4792 dfxzdg.exe

pid	pid_target	process	target process
3692	2712	WerFault.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
2100	4792	WerFault.exe	dfxzdg.exe

pid	process
212	schtasks.exe
2136	schtasks.exe

pid	process
2712	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
4792	dfxzdg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exedfxzdg.exe

description	pid	process
Token: SeDebugPrivilege	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Token: SeDebugPrivilege	2712	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	dfxzdg.exe
Token: SeDebugPrivilege	4792	dfxzdg.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.execmd.exedfxzdg.execmd.exe

description	pid	process	target process
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 2712	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
PID 384 wrote to memory of 1692	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 384 wrote to memory of 1692	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 384 wrote to memory of 1692	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 384 wrote to memory of 1816	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 384 wrote to memory of 1816	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 384 wrote to memory of 1816	384	111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe	cmd.exe
PID 1692 wrote to memory of 2136	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 2136	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 2136	1692	cmd.exe	schtasks.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 4792	2532	dfxzdg.exe	dfxzdg.exe
PID 2532 wrote to memory of 3480	2532	dfxzdg.exe	cmd.exe
PID 2532 wrote to memory of 3480	2532	dfxzdg.exe	cmd.exe
PID 2532 wrote to memory of 3480	2532	dfxzdg.exe	cmd.exe
PID 2532 wrote to memory of 2208	2532	dfxzdg.exe	cmd.exe
PID 2532 wrote to memory of 2208	2532	dfxzdg.exe	cmd.exe
PID 2532 wrote to memory of 2208	2532	dfxzdg.exe	cmd.exe
PID 3480 wrote to memory of 212	3480	cmd.exe	schtasks.exe
PID 3480 wrote to memory of 212	3480	cmd.exe	schtasks.exe
PID 3480 wrote to memory of 212	3480	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1816
3⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2712 -ip 2712
1⤵
PID:1964

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
"C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1812
3⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4792 -ip 4792
1⤵
PID:4852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
Filesize
2.2MB

MD5
111e78d8cc3e0772ade0782b8365d435

SHA1
c53a394e097c1a7a1fb8d8e53ad850c7f3c0c257

SHA256
e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27

SHA512
64631e4d2e882b48d168cbbcbaf7b90a3dafaa5d2c65cdb5cd6dff16eb005c2ffcede50e7194b0c512d59747e0093c1c2f8de24f64ced0e2cd2011631c0e818a

Download Submit
memory/384-13-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/384-1-0x0000000000050000-0x000000000028A000-memory.dmp

Filesize
2.2MB

Download
memory/384-2-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/384-3-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/384-4-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/384-5-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/384-0-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/384-14-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2532-18-0x0000000000550000-0x000000000078A000-memory.dmp

Filesize
2.2MB

Download
memory/2532-17-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2532-19-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/2532-25-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2532-26-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/2712-12-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2712-9-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/2712-7-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2712-8-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/2712-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4792-22-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-23-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4792-24-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads