snakekeylogger | 1d02b125ee09507cbc1cfb446274c5d380f8d2d43e0083f65d3341d741eb3bbf

General

Target

ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
Size

531KB
MD5

ca8702cbc3c66697b1f14f02254226c9
SHA1

958efe73ef2c0a1df6ecffc0bb502c18869908fa
SHA256

1d02b125ee09507cbc1cfb446274c5d380f8d2d43e0083f65d3341d741eb3bbf
SHA512

c598eea92315dc19ff2da0e463105656cfc220d2e5a766b48dc384f0f0495e9390cd7541a78a69bc76918c49f39a70123c68f614b5b1a118b268077bbc6b7d7a
SSDEEP

12288:xEx7gSLQfoRaww57p6vMYcRtz3YGjeDIyav+f8UV:+x7gSaoRcf2M2CYIfv+pV

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1064-10-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral2/memory/1064-9-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral2/memory/1064-12-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral2/memory/1064-13-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral2/memory/1064-17-0x0000000002180000-0x0000000002190000-memory.dmp	family_snakekeylogger
behavioral2/memory/1064-22-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger

Loads dropped DLL 1 IoCs

Processes:

ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

pid process

3280 ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org
15 freegeoip.app
16 freegeoip.app

pid	process
3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

flow	ioc
13	checkip.dyndns.org
15	freegeoip.app
16	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

description	pid	process	target process
PID 3280 set thread context of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

pid process

1064 ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1064 ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

pid	process
1064	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1064	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

description	pid	process	target process
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
PID 3280 wrote to memory of 1064	3280	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe	ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ca8702cbc3c66697b1f14f02254226c9_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz5F28.tmp\mqpdzmdsq.dll

Filesize
22KB

MD5
c49786a64061cb1ec53737946be6e6b8

SHA1
23aea486baf2da29a164342abfacc42d24c4e2f7

SHA256
167ce47c8c1ffb564b0d793f556fa109eb17ab54846e0a5cb79efee53f0a471a

SHA512
1d2c0d8243faa8783b73150ddd50aec38c32f980a9d6fd9311495a3c531fbb668b0a74e9c3fc82059ec7a8a9b09cee82c2870b93105f2ac1661eb1e1ef3d3406

Download Submit
memory/1064-15-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1064-16-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1064-24-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1064-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1064-12-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1064-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1064-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1064-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1064-14-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1064-17-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/1064-18-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/1064-19-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/1064-20-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/3280-6-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/3280-11-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads