snakekeylogger | 20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9

General

Target

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe
Size

858KB
MD5

2ea15aa68317ad61bdcff453f0750281
SHA1

10bfcd418e65f26a49f8c8c589352872d32d0492
SHA256

20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9
SHA512

5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8
SSDEEP

12288:pwEgszmNH4u9LS4NXZeCogcQv6QE2Fxov/G6Y:sfngCogcQyQE2Fxa/a

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
[email protected]
Password:
gg@6{ZL65h,*
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-5-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2172-6-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2172-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2172-10-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2172-12-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2172-14-0x0000000000B80000-0x0000000000BC0000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

Processes:

dfxzdg.exe

pid process

2564 dfxzdg.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app
8 checkip.dyndns.org
10 freegeoip.app
2 checkip.dyndns.org

pid	process
2564	dfxzdg.exe

flow	ioc
4	freegeoip.app
5	freegeoip.app
8	checkip.dyndns.org
10	freegeoip.app
2	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exedfxzdg.exe

description	pid	process	target process
PID 1932 set thread context of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 2564 set thread context of 2884	2564	dfxzdg.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2528 2172 WerFault.exe vbc.exe
1940 2884 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2520 schtasks.exe
676 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exevbc.exe

pid process

2172 vbc.exe
2884 vbc.exe

pid	pid_target	process	target process
2528	2172	WerFault.exe	vbc.exe
1940	2884	WerFault.exe	vbc.exe

pid	process
2520	schtasks.exe
676	schtasks.exe

pid	process
2172	vbc.exe
2884	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exevbc.exedfxzdg.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	vbc.exe
Token: SeDebugPrivilege	2564	dfxzdg.exe
Token: SeDebugPrivilege	2884	vbc.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.execmd.exevbc.exetaskeng.exedfxzdg.execmd.exevbc.exe

description	pid	process	target process
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2172	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1932 wrote to memory of 2956	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 2956	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 2956	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 2956	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 3064	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 3064	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 3064	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 3064	1932	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2520	2956	cmd.exe	schtasks.exe
PID 2956 wrote to memory of 2520	2956	cmd.exe	schtasks.exe
PID 2956 wrote to memory of 2520	2956	cmd.exe	schtasks.exe
PID 2956 wrote to memory of 2520	2956	cmd.exe	schtasks.exe
PID 2172 wrote to memory of 2528	2172	vbc.exe	WerFault.exe
PID 2172 wrote to memory of 2528	2172	vbc.exe	WerFault.exe
PID 2172 wrote to memory of 2528	2172	vbc.exe	WerFault.exe
PID 2172 wrote to memory of 2528	2172	vbc.exe	WerFault.exe
PID 2720 wrote to memory of 2564	2720	taskeng.exe	dfxzdg.exe
PID 2720 wrote to memory of 2564	2720	taskeng.exe	dfxzdg.exe
PID 2720 wrote to memory of 2564	2720	taskeng.exe	dfxzdg.exe
PID 2720 wrote to memory of 2564	2720	taskeng.exe	dfxzdg.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 2884	2564	dfxzdg.exe	vbc.exe
PID 2564 wrote to memory of 1952	2564	dfxzdg.exe	cmd.exe
PID 2564 wrote to memory of 1952	2564	dfxzdg.exe	cmd.exe
PID 2564 wrote to memory of 1952	2564	dfxzdg.exe	cmd.exe
PID 2564 wrote to memory of 1952	2564	dfxzdg.exe	cmd.exe
PID 1952 wrote to memory of 676	1952	cmd.exe	schtasks.exe
PID 1952 wrote to memory of 676	1952	cmd.exe	schtasks.exe
PID 1952 wrote to memory of 676	1952	cmd.exe	schtasks.exe
PID 1952 wrote to memory of 676	1952	cmd.exe	schtasks.exe
PID 2564 wrote to memory of 1212	2564	dfxzdg.exe	cmd.exe
PID 2564 wrote to memory of 1212	2564	dfxzdg.exe	cmd.exe
PID 2564 wrote to memory of 1212	2564	dfxzdg.exe	cmd.exe
PID 2564 wrote to memory of 1212	2564	dfxzdg.exe	cmd.exe
PID 2884 wrote to memory of 1940	2884	vbc.exe	WerFault.exe
PID 2884 wrote to memory of 1940	2884	vbc.exe	WerFault.exe
PID 2884 wrote to memory of 1940	2884	vbc.exe	WerFault.exe
PID 2884 wrote to memory of 1940	2884	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1496
3⤵
- Program crash
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
PID:3064

C:\Windows\system32\taskeng.exe
taskeng.exe {0CFB3A58-4538-4AD0-BED3-07AA52B6AF6F} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1488
4⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
4⤵
- Creates scheduled task(s)
PID:676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
3⤵
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
Filesize
858KB

MD5
2ea15aa68317ad61bdcff453f0750281

SHA1
10bfcd418e65f26a49f8c8c589352872d32d0492

SHA256
20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9

SHA512
5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8

Download Submit
memory/1932-0-0x0000000000A00000-0x0000000000ADC000-memory.dmp

Filesize
880KB

Download
memory/1932-1-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-2-0x0000000004360000-0x00000000043A0000-memory.dmp

Filesize
256KB

Download
memory/1932-20-0x0000000004360000-0x00000000043A0000-memory.dmp

Filesize
256KB

Download
memory/1932-17-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-14-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/2172-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-13-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-30-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/2172-24-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-23-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/2564-22-0x0000000001280000-0x000000000135C000-memory.dmp

Filesize
880KB

Download
memory/2564-21-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-37-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-36-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-38-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads