Analysis
-
max time kernel
94s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 14:51
Static task
static1
Behavioral task
behavioral1
Sample
f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe
-
Size
435KB
-
MD5
f3b81cc4177e11666d0d4b030ae136fc
-
SHA1
7c77e6d27cf37602e17d29e602c04bc433fdc7f1
-
SHA256
981d639d5500e2012103163a359474eb356b1548dff4087b5aab97103e7bec5c
-
SHA512
a751ae8380d206ce7641f9ccf9f2889ce445aa7ce1e8aa276e165bdb4bac9c45570f9a7a690e55fde39a7dee85f9bbade4666dcdd9ed2b5c807985b94d433f35
-
SSDEEP
6144:AkN8EmRpfI+hiSVwbwZ3X83DDIdwaYIQm613b7cq3N:N8EK1I+hv2M3M3HGlQN3n/3N
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.sayimkalip.com - Port:
587 - Username:
[email protected] - Password:
3edcvfr4** - Email To:
[email protected]
https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3908-2-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 checkip.dyndns.org 29 freegeoip.app 30 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exedescription pid process target process PID 3344 set thread context of 3908 3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1440 3344 WerFault.exe f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 3908 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exepid process 3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MSBuild.exedw20.exedescription pid process Token: SeDebugPrivilege 3908 MSBuild.exe Token: SeBackupPrivilege 4900 dw20.exe Token: SeBackupPrivilege 4900 dw20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exeMSBuild.exedescription pid process target process PID 3344 wrote to memory of 3908 3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe MSBuild.exe PID 3344 wrote to memory of 3908 3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe MSBuild.exe PID 3344 wrote to memory of 3908 3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe MSBuild.exe PID 3344 wrote to memory of 3908 3344 f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe MSBuild.exe PID 3908 wrote to memory of 4900 3908 MSBuild.exe dw20.exe PID 3908 wrote to memory of 4900 3908 MSBuild.exe dw20.exe PID 3908 wrote to memory of 4900 3908 MSBuild.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\f3b81cc4177e11666d0d4b030ae136fc_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 16683⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3344 -ip 33441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3344-0-0x0000000000A90000-0x0000000000ABE000-memory.dmpFilesize
184KB
-
memory/3344-1-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3908-2-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3908-3-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/3908-4-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/3908-5-0x0000000001570000-0x0000000001580000-memory.dmpFilesize
64KB
-
memory/3908-12-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB