snakekeylogger | f2ee4a2a477e5ab69949d331617c5727319c622012a7469f7308716e8ace5a96

General

Target

ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
Size

1.1MB
MD5

ed8ac123e16f157b24c8a480c78d744a
SHA1

bae7e0e59206ef554deb79c10875edacc0f464d4
SHA256

f2ee4a2a477e5ab69949d331617c5727319c622012a7469f7308716e8ace5a96
SHA512

07f8b18810512745fd2613756536ec391ea797883eb0762abb42254a1ea82bc567ba81efb81898677b3d89cd00ef8140f932cc952c0c4ee2aa64d469984f3c67
SSDEEP

24576:URyTcvf25/d3e64JaSZTDgYCFqwYVxBGX:URyTG64JaQLNZGX

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.trellaborg.com
Port:
587
Username:
[email protected]
Password:
p4+vh#8Puf*N
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2300-15-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2300-16-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2300-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2300-21-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2300-24-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2300-26-0x0000000004D40000-0x0000000004D80000-memory.dmp	family_snakekeylogger
behavioral1/memory/2300-28-0x0000000004D40000-0x0000000004D80000-memory.dmp	family_snakekeylogger

CustAttr .NET packer 2 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1920-3-0x00000000003A0000-0x00000000003B2000-memory.dmp	CustAttr
behavioral1/memory/2300-28-0x0000000004D40000-0x0000000004D80000-memory.dmp	CustAttr

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

description	pid	process	target process
PID 1920 set thread context of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1460 2300 WerFault.exe ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2836 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

pid process

2300 ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2300 ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

pid	pid_target	process	target process
1460	2300	WerFault.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

pid	process
2836	schtasks.exe

pid	process
2300	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2300	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exeed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe

description	pid	process	target process
PID 1920 wrote to memory of 2836	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	schtasks.exe
PID 1920 wrote to memory of 2836	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	schtasks.exe
PID 1920 wrote to memory of 2836	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	schtasks.exe
PID 1920 wrote to memory of 2836	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	schtasks.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 1920 wrote to memory of 2300	1920	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
PID 2300 wrote to memory of 1460	2300	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	WerFault.exe
PID 2300 wrote to memory of 1460	2300	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	WerFault.exe
PID 2300 wrote to memory of 1460	2300	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	WerFault.exe
PID 2300 wrote to memory of 1460	2300	ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDLpbTHwL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE714.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ed8ac123e16f157b24c8a480c78d744a_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1580
    3⤵
    - Program crash
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE714.tmp

Filesize
1KB

MD5
99f5138c75361650eb856d20d700364f

SHA1
a1b67def4ad623855672ff658e5e787720a13ff8

SHA256
59b51e2a1472eeee3011dd41253704b8f6a0865747be411870b35b4d74691f46

SHA512
cdfd4ad778a15efff9731e77664623909307da1c1bea5d4e0d897b91a974828dbdde99377c740470753343767df21eb801e504f1efcc4ea95d92246d56e971e1

Download Submit
memory/1920-0-0x0000000001390000-0x00000000014AA000-memory.dmp

Filesize
1.1MB

Download
memory/1920-1-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-2-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1920-3-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1920-4-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-5-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1920-6-0x0000000004EA0000-0x0000000004F08000-memory.dmp

Filesize
416KB

Download
memory/1920-7-0x0000000000A90000-0x0000000000AB6000-memory.dmp

Filesize
152KB

Download
memory/1920-22-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2300-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-25-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-26-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download
memory/2300-27-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-28-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads