snakekeylogger | 981d639d5500e2012103163a359474eb356b1548dff4087b5aab97103e7bec5c

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 14:51

Target

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
Size

435KB
MD5

f3b81cc4177e11666d0d4b030ae136fc
SHA1

7c77e6d27cf37602e17d29e602c04bc433fdc7f1
SHA256

981d639d5500e2012103163a359474eb356b1548dff4087b5aab97103e7bec5c
SHA512

a751ae8380d206ce7641f9ccf9f2889ce445aa7ce1e8aa276e165bdb4bac9c45570f9a7a690e55fde39a7dee85f9bbade4666dcdd9ed2b5c807985b94d433f35
SSDEEP

6144:AkN8EmRpfI+hiSVwbwZ3X83DDIdwaYIQm613b7cq3N:N8EK1I+hv2M3M3HGlQN3n/3N

Score

10^/10

Family

snakekeylogger

Credentials

https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2504-2-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/2504-4-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/2504-6-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

description pid process target process

PID 2208 set thread context of 2504 2208 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

2504 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

pid process

2208 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2504 MSBuild.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 2208 set thread context of 2504	2208	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe

pid	process
2504	MSBuild.exe

pid	process
2208	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2504	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exeMSBuild.exe

description	pid	process	target process
PID 2208 wrote to memory of 2504	2208	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 2208 wrote to memory of 2504	2208	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 2208 wrote to memory of 2504	2208	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 2208 wrote to memory of 2504	2208	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 2208 wrote to memory of 2504	2208	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 2504 wrote to memory of 2520	2504	MSBuild.exe	dw20.exe
PID 2504 wrote to memory of 2520	2504	MSBuild.exe	dw20.exe
PID 2504 wrote to memory of 2520	2504	MSBuild.exe	dw20.exe
PID 2504 wrote to memory of 2520	2504	MSBuild.exe	dw20.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 960
3⤵
PID:2520

memory/2208-0-0x0000000000B80000-0x0000000000BAE000-memory.dmp

Filesize
184KB

Download
memory/2208-1-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/2504-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-7-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-9-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2504-8-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-11-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-12-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2520-10-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2520-13-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download