Overview

overview

10

Static

static

3

a2f6a3f4dc...18.exe

windows7-x64

10

a2f6a3f4dc...18.exe

windows10-2004-x64

10

$PLUGINSDI...sy.dll

windows7-x64

10

$PLUGINSDI...sy.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2f6a3f4dcaf6394f35ec01d02ae368f_JaffaCakes118

  • Size

    367KB

  • Sample

    240403-wq1casgh96

  • MD5

    a2f6a3f4dcaf6394f35ec01d02ae368f

  • SHA1

    4940d00601d3cd79499e332fe0d9623499b89757

  • SHA256

    b04c992fb893695fad2aa827754bd6cae34eb3e70a2fd00e4f2e884e73352026

  • SHA512

    800ea246af981b636cdd065a5fc124f77a6fd2c9ddb74679ce834c2afe0f57608fbe58c9b82a42745d5df0f42ef5a6ac7e3a3bc253a1a6f316591fe07d4a8e0f

  • SSDEEP

    6144:b8LxBBXsPUCr5/TRIoM9gWkwtr5BBj14Qr+dhqJFdrUs518wMXOgWTo6K6PAX/y0:ysMyTY9gQO7gvdrUsh2WzoyNosXmt/F

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Targets

    • Target

      a2f6a3f4dcaf6394f35ec01d02ae368f_JaffaCakes118

    • Size

      367KB

    • MD5

      a2f6a3f4dcaf6394f35ec01d02ae368f

    • SHA1

      4940d00601d3cd79499e332fe0d9623499b89757

    • SHA256

      b04c992fb893695fad2aa827754bd6cae34eb3e70a2fd00e4f2e884e73352026

    • SHA512

      800ea246af981b636cdd065a5fc124f77a6fd2c9ddb74679ce834c2afe0f57608fbe58c9b82a42745d5df0f42ef5a6ac7e3a3bc253a1a6f316591fe07d4a8e0f

    • SSDEEP

      6144:b8LxBBXsPUCr5/TRIoM9gWkwtr5BBj14Qr+dhqJFdrUs518wMXOgWTo6K6PAX/y0:ysMyTY9gQO7gvdrUsh2WzoyNosXmt/F

    Score
    10/10
    snakekeyloggerkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/gstrsy.dll

    • Size

      20KB

    • MD5

      56168ae8fc145b349d57533a6575a072

    • SHA1

      1e21b1fa3bf64bea8e34ef780730dd63d281c43b

    • SHA256

      22e58e7c50d06d59c142110e71515df2f901d5d8361ce065b05aa65e774bbea6

    • SHA512

      d1a6bd6af071b79f440c90447ee3817a86d6e17a284e842ba9f804850ae3d46eb4395fc3bcd86a40c7a03c2be2a11a88d0b0b4a36f3748d74a61424539f220cd

    • SSDEEP

      384:t+guiCzcXBWIOrJ0mDWWV//9TK2YV3Qd5yaIIbIJi04o+yQUR3ndeqox4:QguiCzOX6yWNFvYV3QHy2cJ94SQ83deJ

    Score
    10/10
    snakekeyloggerkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks