snakekeylogger | 55922cb5afe2b53f46a2c8080747c94d00901d49e93e0ee2ef1fee22f7fda164

General

Target

aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
Size

418KB
MD5

aac2b9c21e1d1dd48035677164b421dd
SHA1

f472607429d90c1a4b597e195a712492111d06f9
SHA256

55922cb5afe2b53f46a2c8080747c94d00901d49e93e0ee2ef1fee22f7fda164
SHA512

76bb7f534ceb2e9a1cb0a9a9d9cc553b9d4b46925e45d4d0bcab139988a3bc8b407a33cc5f869395d1be0792f3b614f39c8d9f5ca4cd1c8b10cfad57ed48064e
SSDEEP

6144:luux2PfPY+G4LCPhlceA0laZPc034SVmBSi4PZzZn7MkhB26YB:JEPunjVQlc64SNiMz6SB2D

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.faks-allied-health.com
Port:
587
Username:
[email protected]
Password:
$Faks1234
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2508-10-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2508-9-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2508-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2508-17-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2508-20-0x0000000004930000-0x0000000004970000-memory.dmp	family_snakekeylogger
behavioral1/memory/2508-22-0x0000000004930000-0x0000000004970000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

description	pid	process	target process
PID 2000 set thread context of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2368 2508 WerFault.exe aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

pid process

2508 aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2508 aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

pid	pid_target	process	target process
2368	2508	WerFault.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

pid	process
2508	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2508	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exeaac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe

description	pid	process	target process
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2000 wrote to memory of 2508	2000	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
PID 2508 wrote to memory of 2368	2508	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	WerFault.exe
PID 2508 wrote to memory of 2368	2508	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	WerFault.exe
PID 2508 wrote to memory of 2368	2508	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	WerFault.exe
PID 2508 wrote to memory of 2368	2508	aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\aac2b9c21e1d1dd48035677164b421dd_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1096
    3⤵
    - Program crash
    PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-0-0x0000000000BD0000-0x0000000000C3E000-memory.dmp

Filesize
440KB

Download
memory/2000-1-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2000-2-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2000-3-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2000-4-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2000-5-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2000-6-0x0000000004920000-0x000000000496A000-memory.dmp

Filesize
296KB

Download
memory/2000-18-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2508-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2508-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2508-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2508-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2508-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2508-19-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2508-20-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2508-21-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-22-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads