snakekeylogger | 3559806841a45de7e6ed11acf6085ddbfb7ca67781e1db676b844b0e92ac30f9

General

Target

637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
Size

2.2MB
MD5

637c0a1232a65aba8a98acb8ec9787af
SHA1

30f6d7422526ad16c3de841472eb2c8ebfe8cb3f
SHA256

3559806841a45de7e6ed11acf6085ddbfb7ca67781e1db676b844b0e92ac30f9
SHA512

0beeb98cbcacfb3a3e3321774321c18a8e5e569a4ae08889b01a214762ef0cf73c5b4d3f452aea45d74240612a791c936d7c8fe62476b333e0d3afd6cc65a938
SSDEEP

12288:8F04OE0nuGRJuWtMSArkKali2eXNPnrEdrE:JxnuGFtM7rkKalixXN/odo

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
[email protected]
Password:
0@3z{Aj3S8$H
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2464-6-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral2/memory/2464-9-0x00000000057B0000-0x00000000057C0000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exedfxzdg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	dfxzdg.exe

Executes dropped EXE 2 IoCs

Processes:

dfxzdg.exedfxzdg.exe

pid process

3280 dfxzdg.exe
1092 dfxzdg.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org
16 freegeoip.app
17 freegeoip.app
42 freegeoip.app

pid	process
3280	dfxzdg.exe
1092	dfxzdg.exe

flow	ioc
13	checkip.dyndns.org
16	freegeoip.app
17	freegeoip.app
42	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exedfxzdg.exe

description	pid	process	target process
PID 4548 set thread context of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 3280 set thread context of 1092	3280	dfxzdg.exe	dfxzdg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1636 2464 WerFault.exe 637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
3224 1092 WerFault.exe dfxzdg.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4324 schtasks.exe
2640 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exedfxzdg.exe

pid process

2464 637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
1092 dfxzdg.exe

pid	pid_target	process	target process
1636	2464	WerFault.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
3224	1092	WerFault.exe	dfxzdg.exe

pid	process
4324	schtasks.exe
2640	schtasks.exe

pid	process
2464	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
1092	dfxzdg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exedfxzdg.exedfxzdg.exe

description	pid	process
Token: SeDebugPrivilege	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
Token: SeDebugPrivilege	2464	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
Token: SeDebugPrivilege	3280	dfxzdg.exe
Token: SeDebugPrivilege	1092	dfxzdg.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.execmd.exedfxzdg.execmd.exe

description	pid	process	target process
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 2464	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
PID 4548 wrote to memory of 1680	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	cmd.exe
PID 4548 wrote to memory of 1680	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	cmd.exe
PID 4548 wrote to memory of 1680	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	cmd.exe
PID 4548 wrote to memory of 1060	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	cmd.exe
PID 4548 wrote to memory of 1060	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	cmd.exe
PID 4548 wrote to memory of 1060	4548	637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe	cmd.exe
PID 1680 wrote to memory of 2640	1680	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 2640	1680	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 2640	1680	cmd.exe	schtasks.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 1092	3280	dfxzdg.exe	dfxzdg.exe
PID 3280 wrote to memory of 2076	3280	dfxzdg.exe	cmd.exe
PID 3280 wrote to memory of 2076	3280	dfxzdg.exe	cmd.exe
PID 3280 wrote to memory of 2076	3280	dfxzdg.exe	cmd.exe
PID 3280 wrote to memory of 3392	3280	dfxzdg.exe	cmd.exe
PID 3280 wrote to memory of 3392	3280	dfxzdg.exe	cmd.exe
PID 3280 wrote to memory of 3392	3280	dfxzdg.exe	cmd.exe
PID 2076 wrote to memory of 4324	2076	cmd.exe	schtasks.exe
PID 2076 wrote to memory of 4324	2076	cmd.exe	schtasks.exe
PID 2076 wrote to memory of 4324	2076	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1780
    3⤵
    - Program crash
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
  2⤵
  PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2464 -ip 2464
1⤵
PID:4712

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
  "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1780
    3⤵
    - Program crash
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
  2⤵
  PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1092 -ip 1092
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe

Filesize
2.2MB

MD5
637c0a1232a65aba8a98acb8ec9787af

SHA1
30f6d7422526ad16c3de841472eb2c8ebfe8cb3f

SHA256
3559806841a45de7e6ed11acf6085ddbfb7ca67781e1db676b844b0e92ac30f9

SHA512
0beeb98cbcacfb3a3e3321774321c18a8e5e569a4ae08889b01a214762ef0cf73c5b4d3f452aea45d74240612a791c936d7c8fe62476b333e0d3afd6cc65a938

Download Submit
memory/1092-24-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/1092-23-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/1092-22-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/2464-9-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2464-12-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/2464-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2464-8-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/2464-7-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/3280-17-0x00000000008F0000-0x0000000000B28000-memory.dmp

Filesize
2.2MB

Download
memory/3280-18-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/3280-19-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3280-25-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/3280-26-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4548-5-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/4548-13-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4548-14-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4548-4-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4548-0-0x0000000000DA0000-0x0000000000FD8000-memory.dmp

Filesize
2.2MB

Download
memory/4548-3-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/4548-2-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/4548-1-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads