Overview

overview

10

Static

static

3

f5c4dbef3d...18.exe

windows7-x64

10

f5c4dbef3d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5c4dbef3d934821e183619967022767_JaffaCakes118.exe

  • Size

    776KB

  • MD5

    f5c4dbef3d934821e183619967022767

  • SHA1

    1c17bf19acf83f7d4e6880cf8e19e088bd1b5aa6

  • SHA256

    e0b1dc004a3db060f6e6c96fcb8ef22ba4cf94aea42ef4afb40a3168f9d97296

  • SHA512

    ad71ba93da29ad6f2089a6897f9367afc7d8998993a697b13fb2a64f1d0076a44e74cb35594e457c229911369d3ac5ad0bb1c4d7c86834aeac61fcf8af3e8950

  • SSDEEP

    12288:ZqlVwldf4k+r/Q/aXM15r9wUz+eeEB2CLT+Srd8P:Z4VwA/mDJxem2CLT+Sr

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1812
        3⤵
        • Program crash
        PID:2656
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3272
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4744 -ip 4744
      1⤵
        PID:852

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f5c4dbef3d934821e183619967022767_JaffaCakes118.exe.log
        Filesize

        1KB

        MD5

        84e77a587d94307c0ac1357eb4d3d46f

        SHA1

        83cc900f9401f43d181207d64c5adba7a85edc1e

        SHA256

        e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

        SHA512

        aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

        Download Submit
      • memory/4744-12-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download
      • memory/4744-19-0x0000000075290000-0x0000000075A40000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4744-18-0x0000000075290000-0x0000000075A40000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4744-17-0x0000000005BA0000-0x0000000005BB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4744-15-0x0000000075290000-0x0000000075A40000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4836-4-0x0000000004EA0000-0x0000000004F3C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4836-7-0x00000000050C0000-0x00000000050D8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/4836-8-0x0000000075290000-0x0000000075A40000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4836-9-0x00000000050F0000-0x0000000005100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4836-10-0x0000000007CB0000-0x0000000007D44000-memory.dmp
        Filesize

        592KB

        Download
      • memory/4836-11-0x000000000A3F0000-0x000000000A41E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/4836-6-0x0000000004DB0000-0x0000000004DBA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4836-5-0x00000000050F0000-0x0000000005100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4836-0-0x0000000075290000-0x0000000075A40000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4836-16-0x0000000075290000-0x0000000075A40000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4836-3-0x0000000004E00000-0x0000000004E92000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4836-2-0x0000000005310000-0x00000000058B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4836-1-0x0000000000330000-0x00000000003F8000-memory.dmp
        Filesize

        800KB

        Download