General

  • Target

    3c79639ff8699d1ec0154d6d6eac37db_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240712-janbkswdqa

  • MD5

    3c79639ff8699d1ec0154d6d6eac37db

  • SHA1

    b9f420d4c8c85e56876891f8521e4dab38ae0a15

  • SHA256

    77d20e04d420adbb732bdd2d365afa1ce9b85585c443c894039bc972d88a9353

  • SHA512

    c60cffb5633787520a5225b453c0a578bb263f24c780759358c03b6a564836b8200164cbdb773d49e3fb8c4ac5e2349aa78b0fa9f1ff097a2b993527af157604

  • SSDEEP

    12288:OpoAjC84Mab0k/05qD4xgca8ndRg9SRmINmnxjA:MC9MY4xXa8dQSWZA

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://bitrix370.timeweb.ru/
  • Port:
    21
  • Username:
    cn94754
  • Password:
    c2eitfpidhgS

Targets

    • Target

      McDERMOTT STANDARD TERMS AND CONDITIONS(Inclusive of Appendix Kakinada - R0186232.exe

    • Size

      713KB

    • MD5

      343a265bfdb9b15f6b99db339112d799

    • SHA1

      4a9a4a28d2cd8f5da07be8bd6602c753635b5436

    • SHA256

      45b183f3ab8e0ad421664b353e4951aa08d3f2e0ee0667a5b10d4dba5e5bb691

    • SHA512

      c666bc106d903cbabb203dabfd497bcdb79483d5ea3d2288fe767d427ee96c606c578e4628b93bc4f8a8590114f69641ab3109d2a9aefa0e39270c3d1b1882c0

    • SSDEEP

      12288:ZpoAjC84Mab0k/05qD4xgca8ndRg9SRmINmnxjA:fC9MY4xXa8dQSWZA

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks