snakekeylogger | b27e8818e65920ef719e41a01f7bc25145945662e0f01fb0f36dfe1195faafc8

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
Size

434KB
MD5

e338018f8b5148cb372eacd88b539ab3
SHA1

973bfa4d59d3026dda6b27b17088f37b0885e172
SHA256

b27e8818e65920ef719e41a01f7bc25145945662e0f01fb0f36dfe1195faafc8
SHA512

e671a086b009ac2c703462f2ce6eb83cc29e2cb82e814e567a7093eb3386fce8e82bb36d6ffe7c89cb35619bac128ac46fede7f630e3652e216cf5ed64c4c4c0
SSDEEP

6144:VsfKtJxyUfZJbL5ZQFk27HX8j6HKFqCjfv2xcniFT6uy0xvCo3RoRnQ5u:VsitJxyUBJhZQFk27Hsj/qrxaiYo3n

Score

10^/10

snakekeylogger zgrat keylogger persistence rat stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
netjul.shop
Port:
587
Username:
[email protected]
Password:
uyJ^N,k+FfUN
Email To:
[email protected]

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3052-14-0x0000000006AD0000-0x0000000006B40000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-15-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-16-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-18-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-20-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-22-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-24-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-26-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-28-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-30-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-32-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-34-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-36-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-38-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-40-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-44-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-42-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-46-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-48-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-50-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-52-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-54-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-56-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-58-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-60-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-62-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-64-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-66-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-68-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-70-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-72-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-74-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-78-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3052-76-0x0000000006AD0000-0x0000000006B3A000-memory.dmp	family_zgrat_v1

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1508-2029-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrom\\chrom.exe\""	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 checkip.dyndns.org
51 freegeoip.app
52 freegeoip.app

flow	ioc
48	checkip.dyndns.org
51	freegeoip.app
52	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

description	pid	process	target process
PID 3052 set thread context of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1268 1508 WerFault.exe e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

pid	pid_target	process	target process
1268	1508	WerFault.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exee338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

pid	process
3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
1508	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exee338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

description	pid	process	target process
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
PID 3052 wrote to memory of 1508	3052	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe	e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1800
    3⤵
    - Program crash
    PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1508 -ip 1508
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e338018f8b5148cb372eacd88b539ab3_JaffaCakes118.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
memory/1508-2031-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1508-2029-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1508-2032-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/1508-2033-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1508-2034-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3052-26-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-36-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-3-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/3052-4-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-5-0x00000000055C0000-0x00000000055CA000-memory.dmp

Filesize
40KB

Download
memory/3052-6-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-7-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-8-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3052-9-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-10-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-11-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-12-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-13-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/3052-14-0x0000000006AD0000-0x0000000006B40000-memory.dmp

Filesize
448KB

Download
memory/3052-15-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-16-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-18-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-20-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-22-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-24-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-1-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3052-28-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-30-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-32-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-34-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-2-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/3052-38-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-40-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-44-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-42-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-46-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-48-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-50-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-52-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-54-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-56-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-58-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-60-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-62-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-64-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-66-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-68-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-70-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-72-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-74-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-0-0x0000000000B80000-0x0000000000BF2000-memory.dmp

Filesize
456KB

Download
memory/3052-78-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-76-0x0000000006AD0000-0x0000000006B3A000-memory.dmp

Filesize
424KB

Download
memory/3052-2030-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download