snakekeylogger | d1503ceac0fde6e0979d6ba3f6fba34ebdc3fb4ca5f785757e8ef45383b9273d

General

Target

f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
Size

792KB
MD5

f696ead7eba6d5df7a2016b5fd193e9e
SHA1

3cf4cf17c5c2347721570f1df0d710133fb65413
SHA256

d1503ceac0fde6e0979d6ba3f6fba34ebdc3fb4ca5f785757e8ef45383b9273d
SHA512

1013c7405fca15e1c8759ff049de21cfa85aeb3ba15294690b396b6fb165648d10868efc86b9c84a458617a5444c769e2ca86cc600de58b98a97abb620d44073
SSDEEP

12288:UPWID8VeuWJO7G/LWmHut5CqDm1kBB4XIMF9GHsoY+K2NeJ/b/XaO8gWSFK+pJSC:UuID8moGTJQ5xn4XIdM+KK4jiT0FK+p

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
)||LHNUQ5wgcszg
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2516-9-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/2516-11-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/2516-20-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/2516-18-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger
behavioral1/memory/2516-15-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
4	checkip.dyndns.org
6	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2516	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2516	2908	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	28
PID 2516 wrote to memory of 2436	2516	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	29
PID 2516 wrote to memory of 2436	2516	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	29
PID 2516 wrote to memory of 2436	2516	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	29
PID 2516 wrote to memory of 2436	2516	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 580
    3⤵
    PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-24-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2516-23-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-22-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2516-25-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-9-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-11-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-18-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-21-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2908-0-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-2-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-17-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-3-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-1-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/2908-4-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing