Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11-04-2024 22:56
General
-
Target
ee88c9b476f721af2571cf310dd98a59_JaffaCakes118.exe
-
Size
973KB
-
MD5
ee88c9b476f721af2571cf310dd98a59
-
SHA1
2ed6cd70e7049e2eb1c8b8ecd0af4e96639fe8e0
-
SHA256
665036f55a5222fab9b1d65f0cd2ba2363a1490db114c5a9bf2e0f230f1d0f7f
-
SHA512
d0c6b5dea0fbcf7571c4513f427977981417b2a8a6108117ba0f7b23e607ab04f8546190edd5e6c4abe1f452e260f36dc8ceac4c508c8b021f43f76462894989
-
SSDEEP
24576:zhFfgQH5u5/d36K64JCaaUWHDD0PWNwo:zhFj/K64Jpojl2o
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
smtp.fireacoustics.com - Port:
587 - Username:
[email protected] - Password:
_d:rzD~62Jxh - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee88c9b476f721af2571cf310dd98a59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee88c9b476f721af2571cf310dd98a59_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 17403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 732 -ip 7321⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/732-13-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/732-18-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/732-17-0x0000000005390000-0x00000000053A0000-memory.dmpFilesize
64KB
-
memory/732-16-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/2556-8-0x00000000023D0000-0x00000000023E2000-memory.dmpFilesize
72KB
-
memory/2556-11-0x0000000006700000-0x0000000006766000-memory.dmpFilesize
408KB
-
memory/2556-6-0x0000000004BE0000-0x0000000004BEA000-memory.dmpFilesize
40KB
-
memory/2556-7-0x0000000004E00000-0x0000000004E56000-memory.dmpFilesize
344KB
-
memory/2556-0-0x0000000000080000-0x000000000017A000-memory.dmpFilesize
1000KB
-
memory/2556-9-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/2556-10-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2556-5-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2556-12-0x00000000067A0000-0x00000000067C6000-memory.dmpFilesize
152KB
-
memory/2556-4-0x0000000004C10000-0x0000000004CA2000-memory.dmpFilesize
584KB
-
memory/2556-15-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/2556-3-0x0000000005120000-0x00000000056C4000-memory.dmpFilesize
5.6MB
-
memory/2556-2-0x0000000004AB0000-0x0000000004B4C000-memory.dmpFilesize
624KB
-
memory/2556-1-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB