snakekeylogger | 1b808f880f3ce7f3f2206b471efc9ae4655bf7cc69da90f1191cb5e1926517eb

General

Target

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
Size

1.2MB
MD5

f2ab46c4d6035194f6bb1a3fde6ba2ae
SHA1

2db4d8e0ca62631d75302c0cd5c509c2158be5b1
SHA256

1b808f880f3ce7f3f2206b471efc9ae4655bf7cc69da90f1191cb5e1926517eb
SHA512

32454c0f23c02977a8016fc9cd372dc2943d86ea7f54f88d5f5d78df97aeb3a8443fad407f48820e918c02fea722bcb1dc386a4b3aa5d53c0474ea7a022846d6
SSDEEP

24576:8aS/d3xKzksLksqeSj3hEuXpastDNaRLbkkKzFZ/y8jh8N6ZN8Z:qKVSj5ZtDNaRLoH/+N6ZN8

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.ccmainoffice.com
Port:
587
Username:
[email protected]
Password:
QAZqaz123@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2532-10-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2532-11-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2532-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2532-16-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2532-18-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2532-21-0x00000000008C0000-0x0000000000900000-memory.dmp	family_snakekeylogger
behavioral1/memory/2532-23-0x00000000008C0000-0x0000000000900000-memory.dmp	family_snakekeylogger

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/3024-3-0x00000000003C0000-0x00000000003D2000-memory.dmp	CustAttr

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

description	pid	process	target process
PID 3024 set thread context of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

280 2532 WerFault.exe f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

pid	pid_target	process	target process
280	2532	WerFault.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exef2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

pid	process
3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
2532	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exef2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exef2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe"
2⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe"
2⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1620
3⤵
- Program crash
PID:280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-23-0x00000000008C0000-0x0000000000900000-memory.dmp

Filesize
256KB

Download
memory/2532-22-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-21-0x00000000008C0000-0x0000000000900000-memory.dmp

Filesize
256KB

Download
memory/2532-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-19-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3024-4-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-3-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3024-1-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-0-0x00000000001C0000-0x00000000002F2000-memory.dmp

Filesize
1.2MB

Download
memory/3024-20-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-2-0x0000000004F80000-0x0000000004FC0000-memory.dmp

Filesize
256KB

Download
memory/3024-7-0x0000000000960000-0x0000000000984000-memory.dmp

Filesize
144KB

Download
memory/3024-6-0x00000000057D0000-0x0000000005860000-memory.dmp

Filesize
576KB

Download
memory/3024-5-0x0000000004F80000-0x0000000004FC0000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 3024 wrote to memory of 3052	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 3052	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 3052	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 3052	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2484	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2484	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2484	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2484	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 3024 wrote to memory of 2532	3024	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2532 wrote to memory of 280	2532	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	WerFault.exe
PID 2532 wrote to memory of 280	2532	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	WerFault.exe
PID 2532 wrote to memory of 280	2532	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	WerFault.exe
PID 2532 wrote to memory of 280	2532	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads