Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 15:51
Static task
static1
Behavioral task
behavioral1
Sample
26108db5b69562376697d90215395c87_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
26108db5b69562376697d90215395c87_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
26108db5b69562376697d90215395c87_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
26108db5b69562376697d90215395c87
-
SHA1
ebd57ecda0c2a6cca843ead90d9c845376dfe47a
-
SHA256
406776bc31b30cd94d3e6e50ea5adfac4817b2787c49f02e9ac096ea128f4843
-
SHA512
d29a60d5dbe056f65a0655752e0a95a19718d021db8ad2d117e543bafeb46730f238facb3e3b1b7175a6de7e0915150b32686a4310d3b7dadf291ed1f52a249e
-
SSDEEP
12288:mcf8x8hkm0WhdWCOt58IWDNuuc2eXNPnrEdrE:duj8IWDNuucxXN/odo
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
restd.xyz - Port:
587 - Username:
[email protected] - Password:
sd?Y&2i.6@Yt - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 10 IoCs
resource yara_rule behavioral1/memory/2780-5-0x00000000000C0000-0x00000000000E6000-memory.dmp family_snakekeylogger behavioral1/memory/2780-6-0x00000000000C0000-0x00000000000E6000-memory.dmp family_snakekeylogger behavioral1/memory/2780-9-0x00000000000C0000-0x00000000000E6000-memory.dmp family_snakekeylogger behavioral1/memory/2780-10-0x00000000000C0000-0x00000000000E6000-memory.dmp family_snakekeylogger behavioral1/memory/2780-14-0x00000000000C0000-0x00000000000E6000-memory.dmp family_snakekeylogger behavioral1/memory/2780-17-0x00000000000C0000-0x00000000000E6000-memory.dmp family_snakekeylogger behavioral1/memory/2780-21-0x0000000004DE0000-0x0000000004E20000-memory.dmp family_snakekeylogger behavioral1/memory/572-40-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/572-38-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/572-50-0x0000000004DB0000-0x0000000004DF0000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
pid Process 292 dfxzdg.exe 572 dfxzdg.exe -
Loads dropped DLL 5 IoCs
pid Process 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 freegeoip.app 9 freegeoip.app 16 freegeoip.app 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2856 set thread context of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 292 set thread context of 572 292 dfxzdg.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1524 2780 WerFault.exe 28 2540 572 WerFault.exe 37 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2484 schtasks.exe 1456 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 26108db5b69562376697d90215395c87_JaffaCakes118.exe 572 dfxzdg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe Token: SeDebugPrivilege 2780 26108db5b69562376697d90215395c87_JaffaCakes118.exe Token: SeDebugPrivilege 292 dfxzdg.exe Token: SeDebugPrivilege 572 dfxzdg.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2780 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 28 PID 2856 wrote to memory of 2640 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 29 PID 2856 wrote to memory of 2640 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 29 PID 2856 wrote to memory of 2640 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 29 PID 2856 wrote to memory of 2640 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 29 PID 2856 wrote to memory of 2572 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2572 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2572 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2572 2856 26108db5b69562376697d90215395c87_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2484 2640 cmd.exe 33 PID 2640 wrote to memory of 2484 2640 cmd.exe 33 PID 2640 wrote to memory of 2484 2640 cmd.exe 33 PID 2640 wrote to memory of 2484 2640 cmd.exe 33 PID 2876 wrote to memory of 292 2876 taskeng.exe 35 PID 2876 wrote to memory of 292 2876 taskeng.exe 35 PID 2876 wrote to memory of 292 2876 taskeng.exe 35 PID 2876 wrote to memory of 292 2876 taskeng.exe 35 PID 2780 wrote to memory of 1524 2780 26108db5b69562376697d90215395c87_JaffaCakes118.exe 36 PID 2780 wrote to memory of 1524 2780 26108db5b69562376697d90215395c87_JaffaCakes118.exe 36 PID 2780 wrote to memory of 1524 2780 26108db5b69562376697d90215395c87_JaffaCakes118.exe 36 PID 2780 wrote to memory of 1524 2780 26108db5b69562376697d90215395c87_JaffaCakes118.exe 36 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 572 292 dfxzdg.exe 37 PID 292 wrote to memory of 2752 292 dfxzdg.exe 38 PID 292 wrote to memory of 2752 292 dfxzdg.exe 38 PID 292 wrote to memory of 2752 292 dfxzdg.exe 38 PID 292 wrote to memory of 2752 292 dfxzdg.exe 38 PID 292 wrote to memory of 2740 292 dfxzdg.exe 39 PID 292 wrote to memory of 2740 292 dfxzdg.exe 39 PID 292 wrote to memory of 2740 292 dfxzdg.exe 39 PID 292 wrote to memory of 2740 292 dfxzdg.exe 39 PID 2752 wrote to memory of 1456 2752 cmd.exe 42 PID 2752 wrote to memory of 1456 2752 cmd.exe 42 PID 2752 wrote to memory of 1456 2752 cmd.exe 42 PID 2752 wrote to memory of 1456 2752 cmd.exe 42 PID 572 wrote to memory of 2540 572 dfxzdg.exe 45 PID 572 wrote to memory of 2540 572 dfxzdg.exe 45 PID 572 wrote to memory of 2540 572 dfxzdg.exe 45 PID 572 wrote to memory of 2540 572 dfxzdg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\26108db5b69562376697d90215395c87_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26108db5b69562376697d90215395c87_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\26108db5b69562376697d90215395c87_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26108db5b69562376697d90215395c87_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 16163⤵
- Program crash
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Creates scheduled task(s)
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\26108db5b69562376697d90215395c87_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵PID:2572
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E5815CB2-0ABA-4928-B3FF-629E0B5B1D87} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeC:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 16044⤵
- Loads dropped DLL
- Program crash
PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f4⤵
- Creates scheduled task(s)
PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"3⤵PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD526108db5b69562376697d90215395c87
SHA1ebd57ecda0c2a6cca843ead90d9c845376dfe47a
SHA256406776bc31b30cd94d3e6e50ea5adfac4817b2787c49f02e9ac096ea128f4843
SHA512d29a60d5dbe056f65a0655752e0a95a19718d021db8ad2d117e543bafeb46730f238facb3e3b1b7175a6de7e0915150b32686a4310d3b7dadf291ed1f52a249e