snakekeylogger | d1503ceac0fde6e0979d6ba3f6fba34ebdc3fb4ca5f785757e8ef45383b9273d

General

Target

f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
Size

792KB
MD5

f696ead7eba6d5df7a2016b5fd193e9e
SHA1

3cf4cf17c5c2347721570f1df0d710133fb65413
SHA256

d1503ceac0fde6e0979d6ba3f6fba34ebdc3fb4ca5f785757e8ef45383b9273d
SHA512

1013c7405fca15e1c8759ff049de21cfa85aeb3ba15294690b396b6fb165648d10868efc86b9c84a458617a5444c769e2ca86cc600de58b98a97abb620d44073
SSDEEP

12288:UPWID8VeuWJO7G/LWmHut5CqDm1kBB4XIMF9GHsoY+K2NeJ/b/XaO8gWSFK+pJSC:UuID8moGTJQ5xn4XIdM+KK4jiT0FK+p

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
)||LHNUQ5wgcszg
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/444-17-0x0000000000400000-0x0000000000448000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	freegeoip.app
45	freegeoip.app
40	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3428 set thread context of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
444	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
Token: SeRestorePrivilege	3792	dw20.exe
Token: SeBackupPrivilege	3792	dw20.exe
Token: SeBackupPrivilege	3792	dw20.exe
Token: SeBackupPrivilege	3792	dw20.exe
Token: SeBackupPrivilege	3792	dw20.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 3428 wrote to memory of 444	3428	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	95
PID 444 wrote to memory of 3792	444	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	96
PID 444 wrote to memory of 3792	444	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	96
PID 444 wrote to memory of 3792	444	f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1660
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3792

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f696ead7eba6d5df7a2016b5fd193e9e_JaffaCakes118.exe.log

Filesize
884B

MD5
1e6b8ce5375d908aff1c0e54dc7b69cb

SHA1
e97bf6271939d959798ff9218bfe3b27c97eb7c0

SHA256
0f5c3154cd54ca17d0cb4accc7d59649cdf32e037ca2610c0b42127e5ca3c3f3

SHA512
17c3b604a0584a22175a143fdad501fc24862cfc58e0015f8e6e80f932452b4bcf95041540458d007bff30d1e7c34d7fdd23d881c4dde3248ce708ea5739411a

Download Submit
memory/444-17-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/444-30-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/444-23-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/444-22-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/444-20-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3428-12-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Filesize
64KB

Download
memory/3428-16-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Filesize
64KB

Download
memory/3428-2-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Filesize
64KB

Download
memory/3428-1-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3428-10-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Filesize
64KB

Download
memory/3428-11-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3428-0-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3428-21-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3964-15-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/3964-7-0x00007FF9A16E0000-0x00007FF9A2081000-memory.dmp

Filesize
9.6MB

Download
memory/3964-14-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/3964-6-0x000000001A100000-0x000000001A4D4000-memory.dmp

Filesize
3.8MB

Download
memory/3964-5-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/3964-4-0x00007FF9A16E0000-0x00007FF9A2081000-memory.dmp

Filesize
9.6MB

Download
memory/3964-13-0x00007FF9A16E0000-0x00007FF9A2081000-memory.dmp

Filesize
9.6MB

Download
memory/3964-3-0x0000000000C00000-0x0000000000C20000-memory.dmp

Filesize
128KB

Download
memory/3964-9-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/3964-8-0x000000001A810000-0x000000001A946000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads