snakekeylogger | d8b2b725cb39a2286fe1f22afaf4968ae1a8f837dad52c48edd70ab83c1f345e

General

Target

ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
Size

665KB
MD5

ad8e64ec7e02965b3487caa1424e253e
SHA1

f8c6aaa2a36f3e539bc076b2d8c66ac23f735fba
SHA256

d8b2b725cb39a2286fe1f22afaf4968ae1a8f837dad52c48edd70ab83c1f345e
SHA512

cdb07b188d859184942dea5de7619889c2013c12071016f2899df6de3911270698480585d96996f3dcc1b7eb8bc0ccb948981f82b4047c18d763c0beaee1444d
SSDEEP

12288:CmkIvSuxojv2F4a8xyRDfTDmuBd3X3uIIIkIxV0DT:hkfj2dRDf1Bd3X3B+

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
reptw.xyz
Port:
587
Username:
[email protected]
Password:
2HRgrc+HEz}8
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2436-6-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral2/memory/2436-9-0x0000000005990000-0x00000000059A0000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 checkip.dyndns.org

flow	ioc
14	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

description	pid	process	target process
PID 4032 set thread context of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2212	4032	WerFault.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
3412	2436	WerFault.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

pid process

2436 ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

pid	process
2436	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exead8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
Token: SeDebugPrivilege	2436	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

description	pid	process	target process
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
PID 4032 wrote to memory of 2436	4032	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe	ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ad8e64ec7e02965b3487caa1424e253e_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 1500
    3⤵
    - Program crash
    PID:3412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1280
  2⤵
  - Program crash
  PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4032 -ip 4032
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2436 -ip 2436
1⤵
PID:788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2436-7-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/2436-8-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/2436-9-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/2436-11-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4032-0-0x0000000000E80000-0x0000000000F2C000-memory.dmp

Filesize
688KB

Download
memory/4032-1-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4032-2-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/4032-3-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4032-4-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/4032-5-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/4032-10-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads