snakekeylogger | 981d639d5500e2012103163a359474eb356b1548dff4087b5aab97103e7bec5c

General

Target

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
Size

435KB
MD5

f3b81cc4177e11666d0d4b030ae136fc
SHA1

7c77e6d27cf37602e17d29e602c04bc433fdc7f1
SHA256

981d639d5500e2012103163a359474eb356b1548dff4087b5aab97103e7bec5c
SHA512

a751ae8380d206ce7641f9ccf9f2889ce445aa7ce1e8aa276e165bdb4bac9c45570f9a7a690e55fde39a7dee85f9bbade4666dcdd9ed2b5c807985b94d433f35
SSDEEP

6144:AkN8EmRpfI+hiSVwbwZ3X83DDIdwaYIQm613b7cq3N:N8EK1I+hv2M3M3HGlQN3n/3N

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.sayimkalip.com
Port:
587
Username:
[email protected]
Password:
3edcvfr4**
Email To:
[email protected]

C2

https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3908-2-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 checkip.dyndns.org
29 freegeoip.app
30 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

description pid process target process

PID 3344 set thread context of 3908 3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe MSBuild.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1440 3344 WerFault.exe f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

flow	ioc
12	checkip.dyndns.org
29	freegeoip.app
30	freegeoip.app

description	pid	process	target process
PID 3344 set thread context of 3908	3344	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe

pid	pid_target	process	target process
1440	3344	WerFault.exe	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

3908 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

pid process

3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MSBuild.exedw20.exe

description pid process

Token: SeDebugPrivilege 3908 MSBuild.exe
Token: SeBackupPrivilege 4900 dw20.exe
Token: SeBackupPrivilege 4900 dw20.exe

pid	process
3908	MSBuild.exe

pid	process
3344	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3908	MSBuild.exe
Token: SeBackupPrivilege	4900	dw20.exe
Token: SeBackupPrivilege	4900	dw20.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exeMSBuild.exe

description	pid	process	target process
PID 3344 wrote to memory of 3908	3344	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 3344 wrote to memory of 3908	3344	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 3344 wrote to memory of 3908	3344	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 3344 wrote to memory of 3908	3344	f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe	MSBuild.exe
PID 3908 wrote to memory of 4900	3908	MSBuild.exe	dw20.exe
PID 3908 wrote to memory of 4900	3908	MSBuild.exe	dw20.exe
PID 3908 wrote to memory of 4900	3908	MSBuild.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1668
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 424
2⤵
- Program crash
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3344 -ip 3344
1⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3344-0-0x0000000000A90000-0x0000000000ABE000-memory.dmp

Filesize
184KB

Download
memory/3344-1-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download
memory/3908-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3908-3-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/3908-4-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/3908-5-0x0000000001570000-0x0000000001580000-memory.dmp

Filesize
64KB

Download
memory/3908-12-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads