Analysis
-
max time kernel
118s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 20:20
Static task
static1
Behavioral task
behavioral1
Sample
f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
-
Size
792KB
-
MD5
f696ead7eba6d5df7a2016b5fd193e9e
-
SHA1
3cf4cf17c5c2347721570f1df0d710133fb65413
-
SHA256
d1503ceac0fde6e0979d6ba3f6fba34ebdc3fb4ca5f785757e8ef45383b9273d
-
SHA512
1013c7405fca15e1c8759ff049de21cfa85aeb3ba15294690b396b6fb165648d10868efc86b9c84a458617a5444c769e2ca86cc600de58b98a97abb620d44073
-
SSDEEP
12288:UPWID8VeuWJO7G/LWmHut5CqDm1kBB4XIMF9GHsoY+K2NeJ/b/XaO8gWSFK+pJSC:UuID8moGTJQ5xn4XIdM+KK4jiT0FK+p
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
)||LHNUQ5wgcszg - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2516-9-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger behavioral1/memory/2516-11-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger behavioral1/memory/2516-20-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger behavioral1/memory/2516-18-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger behavioral1/memory/2516-15-0x0000000000400000-0x0000000000448000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 freegeoip.app 4 checkip.dyndns.org 6 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2908 set thread context of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2516 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2516 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2516 2908 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 28 PID 2516 wrote to memory of 2436 2516 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 29 PID 2516 wrote to memory of 2436 2516 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 29 PID 2516 wrote to memory of 2436 2516 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 29 PID 2516 wrote to memory of 2436 2516 f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5803⤵PID:2436
-
-