Analysis
-
max time kernel
141s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 12:28
Static task
static1
Behavioral task
behavioral1
Sample
f5c4dbef3d934821e183619967022767_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f5c4dbef3d934821e183619967022767_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f5c4dbef3d934821e183619967022767_JaffaCakes118.exe
-
Size
776KB
-
MD5
f5c4dbef3d934821e183619967022767
-
SHA1
1c17bf19acf83f7d4e6880cf8e19e088bd1b5aa6
-
SHA256
e0b1dc004a3db060f6e6c96fcb8ef22ba4cf94aea42ef4afb40a3168f9d97296
-
SHA512
ad71ba93da29ad6f2089a6897f9367afc7d8998993a697b13fb2a64f1d0076a44e74cb35594e457c229911369d3ac5ad0bb1c4d7c86834aeac61fcf8af3e8950
-
SSDEEP
12288:ZqlVwldf4k+r/Q/aXM15r9wUz+eeEB2CLT+Srd8P:Z4VwA/mDJxem2CLT+Sr
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
25 - Username:
[email protected] - Password:
BkKMmzZ1 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4744-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 checkip.dyndns.org 40 freegeoip.app 41 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f5c4dbef3d934821e183619967022767_JaffaCakes118.exedescription pid process target process PID 4836 set thread context of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2656 4744 WerFault.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f5c4dbef3d934821e183619967022767_JaffaCakes118.exepid process 4744 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f5c4dbef3d934821e183619967022767_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4744 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f5c4dbef3d934821e183619967022767_JaffaCakes118.exedescription pid process target process PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe PID 4836 wrote to memory of 4744 4836 f5c4dbef3d934821e183619967022767_JaffaCakes118.exe f5c4dbef3d934821e183619967022767_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 18123⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4744 -ip 47441⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
memory/4744-12-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4744-19-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4744-18-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4744-17-0x0000000005BA0000-0x0000000005BB0000-memory.dmpFilesize
64KB
-
memory/4744-15-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4836-4-0x0000000004EA0000-0x0000000004F3C000-memory.dmpFilesize
624KB
-
memory/4836-7-0x00000000050C0000-0x00000000050D8000-memory.dmpFilesize
96KB
-
memory/4836-8-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4836-9-0x00000000050F0000-0x0000000005100000-memory.dmpFilesize
64KB
-
memory/4836-10-0x0000000007CB0000-0x0000000007D44000-memory.dmpFilesize
592KB
-
memory/4836-11-0x000000000A3F0000-0x000000000A41E000-memory.dmpFilesize
184KB
-
memory/4836-6-0x0000000004DB0000-0x0000000004DBA000-memory.dmpFilesize
40KB
-
memory/4836-5-0x00000000050F0000-0x0000000005100000-memory.dmpFilesize
64KB
-
memory/4836-0-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4836-16-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4836-3-0x0000000004E00000-0x0000000004E92000-memory.dmpFilesize
584KB
-
memory/4836-2-0x0000000005310000-0x00000000058B4000-memory.dmpFilesize
5.6MB
-
memory/4836-1-0x0000000000330000-0x00000000003F8000-memory.dmpFilesize
800KB