Overview

overview

10

Static

static

3

fbecc83537...18.exe

windows7-x64

10

fbecc83537...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fbecc83537cf14bcd64530e8c00a8315_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240928-kphkbayhqf

  • MD5

    fbecc83537cf14bcd64530e8c00a8315

  • SHA1

    1191b585660cfb6b26ab9b7e80e1aae5136e0276

  • SHA256

    32f1de5afc9dcd3a7f12a950219cd9e838445681f4089bff7a8f3b2ed05363f5

  • SHA512

    16d1148cae8d274efd3197e60c5204506561c03099495ca3a486e1db38303941e5dd5616c50a61521b0bfd0b4d6a058dd88816ae6d3c0292830acf326a86bd29

  • SSDEEP

    12288:jhGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzzyDzAKK3LhHWUJ+eBlsi7ZZHEo+:gzHSvi7AYaf+dk+gzzKK3lV6iT

Score
10/10
snakekeyloggercollectioncredential_accessdiscoverykeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1634002210:AAGipukUEr-bNBgl2R1_hwFgfb9ez_v6wzE/sendMessage?chat_id=1401219117

Targets

    • Target

      fbecc83537cf14bcd64530e8c00a8315_JaffaCakes118

    • Size

      1.1MB

    • MD5

      fbecc83537cf14bcd64530e8c00a8315

    • SHA1

      1191b585660cfb6b26ab9b7e80e1aae5136e0276

    • SHA256

      32f1de5afc9dcd3a7f12a950219cd9e838445681f4089bff7a8f3b2ed05363f5

    • SHA512

      16d1148cae8d274efd3197e60c5204506561c03099495ca3a486e1db38303941e5dd5616c50a61521b0bfd0b4d6a058dd88816ae6d3c0292830acf326a86bd29

    • SSDEEP

      12288:jhGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzzyDzAKK3LhHWUJ+eBlsi7ZZHEo+:gzHSvi7AYaf+dk+gzzKK3lV6iT

    Score
    10/10
    snakekeyloggercollectioncredential_accessdiscoverykeyloggerpersistencespywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks