snakekeylogger | 1b808f880f3ce7f3f2206b471efc9ae4655bf7cc69da90f1191cb5e1926517eb

General

Target

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
Size

1.2MB
MD5

f2ab46c4d6035194f6bb1a3fde6ba2ae
SHA1

2db4d8e0ca62631d75302c0cd5c509c2158be5b1
SHA256

1b808f880f3ce7f3f2206b471efc9ae4655bf7cc69da90f1191cb5e1926517eb
SHA512

32454c0f23c02977a8016fc9cd372dc2943d86ea7f54f88d5f5d78df97aeb3a8443fad407f48820e918c02fea722bcb1dc386a4b3aa5d53c0474ea7a022846d6
SSDEEP

24576:8aS/d3xKzksLksqeSj3hEuXpastDNaRLbkkKzFZ/y8jh8N6ZN8Z:qKVSj5ZtDNaRLoH/+N6ZN8

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.ccmainoffice.com
Port:
587
Username:
[email protected]
Password:
QAZqaz123@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2924-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/2804-7-0x0000000005A50000-0x0000000005A62000-memory.dmp	CustAttr

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 checkip.dyndns.org
25 freegeoip.app
26 freegeoip.app

flow	ioc
23	checkip.dyndns.org
25	freegeoip.app
26	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

description	pid	process	target process
PID 2804 set thread context of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1672 2924 WerFault.exe f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exef2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

pid process

2804 f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
2924 f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

pid	pid_target	process	target process
1672	2924	WerFault.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

pid	process
2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
2924	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exef2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
Token: SeDebugPrivilege	2924	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

description	pid	process	target process
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
PID 2804 wrote to memory of 2924	2804	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe	f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1808
    3⤵
    - Program crash
    PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2924 -ip 2924
1⤵
PID:3156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f2ab46c4d6035194f6bb1a3fde6ba2ae_JaffaCakes118.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/2804-8-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/2804-5-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/2804-9-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2804-4-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2804-10-0x00000000069E0000-0x0000000006A70000-memory.dmp

Filesize
576KB

Download
memory/2804-6-0x0000000005C00000-0x0000000005C9C000-memory.dmp

Filesize
624KB

Download
memory/2804-7-0x0000000005A50000-0x0000000005A62000-memory.dmp

Filesize
72KB

Download
memory/2804-11-0x0000000008E60000-0x0000000008E84000-memory.dmp

Filesize
144KB

Download
memory/2804-3-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/2804-2-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/2804-1-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/2804-16-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/2804-0-0x0000000000E40000-0x0000000000F72000-memory.dmp

Filesize
1.2MB

Download
memory/2924-15-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/2924-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2924-17-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/2924-18-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads