Malware Analysis Report

2024-10-18 23:16

Sample ID 240709-mamlts1cqg
Target 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118
SHA256 071820da24f6b704ce6356e79ded9baad1acaa5e400fb8727c33bae6aa6f7a2f
Tags
snakekeylogger keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

071820da24f6b704ce6356e79ded9baad1acaa5e400fb8727c33bae6aa6f7a2f

Threat Level: Known bad

The file 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

snakekeylogger keylogger stealer

Snake Keylogger payload

Snake Keylogger

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 10:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 10:15

Reported

2024-07-09 12:52

Platform

win10v2004-20240704-en

Max time kernel

94s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1016

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc5763.tmp\sixepu.dll

MD5 040853f7eb99fcc82ea269734850785e
SHA1 8f18a3e2d9349d60de78194fcb62b7775cd297d6
SHA256 0f68d5467617881e66690c950d2d2f409129662d2f78d6b648a2e2bf89bf33c0
SHA512 cf5cd1fc536cec5d2c9735ad8129dd7990ef998403dd171bb5daf4b6d468beeb1d4a264124c701e57a89103231273b577e2a3858cd056182739e384395c56b6b

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 10:15

Reported

2024-07-09 12:52

Platform

win7-20240704-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 248

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-09 10:15

Reported

2024-07-09 12:52

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 692

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 10:15

Reported

2024-07-09 12:52

Platform

win7-20240708-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2424 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
PID 2176 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2176 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2176 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2176 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 548

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsoC15D.tmp\sixepu.dll

MD5 040853f7eb99fcc82ea269734850785e
SHA1 8f18a3e2d9349d60de78194fcb62b7775cd297d6
SHA256 0f68d5467617881e66690c950d2d2f409129662d2f78d6b648a2e2bf89bf33c0
SHA512 cf5cd1fc536cec5d2c9735ad8129dd7990ef998403dd171bb5daf4b6d468beeb1d4a264124c701e57a89103231273b577e2a3858cd056182739e384395c56b6b

memory/2176-8-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2176-10-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2176-11-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2240-12-0x00000000004C0000-0x00000000004C1000-memory.dmp