snakekeylogger | 20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9

General

Target

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe
Size

858KB
MD5

2ea15aa68317ad61bdcff453f0750281
SHA1

10bfcd418e65f26a49f8c8c589352872d32d0492
SHA256

20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9
SHA512

5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8
SSDEEP

12288:pwEgszmNH4u9LS4NXZeCogcQv6QE2Fxov/G6Y:sfngCogcQyQE2Fxa/a

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
[email protected]
Password:
gg@6{ZL65h,*
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1284-6-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exedfxzdg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	dfxzdg.exe

Executes dropped EXE 1 IoCs

Processes:

dfxzdg.exe

pid process

1144 dfxzdg.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org
44 freegeoip.app
45 freegeoip.app

pid	process
1144	dfxzdg.exe

flow	ioc
13	checkip.dyndns.org
44	freegeoip.app
45	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exedfxzdg.exe

description	pid	process	target process
PID 1484 set thread context of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1144 set thread context of 4512	1144	dfxzdg.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5108 1284 WerFault.exe vbc.exe
1392 4512 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4536 schtasks.exe
2936 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1284 vbc.exe
4512 vbc.exe

pid	pid_target	process	target process
5108	1284	WerFault.exe	vbc.exe
1392	4512	WerFault.exe	vbc.exe

pid	process
4536	schtasks.exe
2936	schtasks.exe

pid	process
1284	vbc.exe
4512	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exevbc.exedfxzdg.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe
Token: SeDebugPrivilege	1284	vbc.exe
Token: SeDebugPrivilege	1144	dfxzdg.exe
Token: SeDebugPrivilege	4512	vbc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.execmd.exedfxzdg.execmd.exe

description	pid	process	target process
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 1284	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4724	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1484 wrote to memory of 4724	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1484 wrote to memory of 4724	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1484 wrote to memory of 3800	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1484 wrote to memory of 3800	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 1484 wrote to memory of 3800	1484	2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe	cmd.exe
PID 4724 wrote to memory of 4536	4724	cmd.exe	schtasks.exe
PID 4724 wrote to memory of 4536	4724	cmd.exe	schtasks.exe
PID 4724 wrote to memory of 4536	4724	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 4512	1144	dfxzdg.exe	vbc.exe
PID 1144 wrote to memory of 408	1144	dfxzdg.exe	cmd.exe
PID 1144 wrote to memory of 408	1144	dfxzdg.exe	cmd.exe
PID 1144 wrote to memory of 408	1144	dfxzdg.exe	cmd.exe
PID 1144 wrote to memory of 4380	1144	dfxzdg.exe	cmd.exe
PID 1144 wrote to memory of 4380	1144	dfxzdg.exe	cmd.exe
PID 1144 wrote to memory of 4380	1144	dfxzdg.exe	cmd.exe
PID 408 wrote to memory of 2936	408	cmd.exe	schtasks.exe
PID 408 wrote to memory of 2936	408	cmd.exe	schtasks.exe
PID 408 wrote to memory of 2936	408	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1444
3⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\2ea15aa68317ad61bdcff453f0750281_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1284 -ip 1284
1⤵
PID:400

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1784
3⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4512 -ip 4512
1⤵
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
Filesize
858KB

MD5
2ea15aa68317ad61bdcff453f0750281

SHA1
10bfcd418e65f26a49f8c8c589352872d32d0492

SHA256
20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9

SHA512
5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8

Download Submit
memory/1144-25-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1144-24-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1144-19-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1144-18-0x0000000000A60000-0x0000000000B3C000-memory.dmp

Filesize
880KB

Download
memory/1144-17-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1284-12-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1284-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1284-8-0x0000000005A30000-0x0000000005ACC000-memory.dmp

Filesize
624KB

Download
memory/1284-9-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/1284-7-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1484-0-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1484-14-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/1484-13-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1484-5-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/1484-4-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/1484-3-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/1484-2-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/1484-1-0x0000000000950000-0x0000000000A2C000-memory.dmp

Filesize
880KB

Download
memory/4512-21-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4512-22-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/4512-23-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads