snakekeylogger | 474f66d3344f0a29d6484ab7de9e11e6a293a5d5c719508c91b9bc7d673ce545

General

Target

1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
Size

770KB
MD5

1f70ce5c67b3381a16c9edcd2ef16a04
SHA1

1f3746b68606f3ea96735c4af90df0e96d6b1ea2
SHA256

474f66d3344f0a29d6484ab7de9e11e6a293a5d5c719508c91b9bc7d673ce545
SHA512

e537fc2f58f9cb314a8da3319c33a31c151bf47283f4822cc5204192f2b51d11a4a02c3c12579ec14b955d9c1a0846e3cb568b86bf416640ea4b800e8cb7aa68
SSDEEP

12288:qi8ztcfLUVq0OwHK7zz9NzyT0wlWSMZmbhpmXSzf2FteyC6qn6m5U85O:qi8JKuOnnvWfnhPisyg5

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.rainspor.com
Port:
587
Username:
[email protected]
Password:
assad123assad
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2920-18-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2920-20-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2920-22-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2920-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2920-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
9	freegeoip.app
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2920	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2920	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 1452 wrote to memory of 2920	1452	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	29
PID 2920 wrote to memory of 2620	2920	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2620	2920	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2620	2920	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2620	2920	1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1f70ce5c67b3381a16c9edcd2ef16a04_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1624
    3⤵
    - Program crash
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/1452-1-0x0000000000FE0000-0x00000000010A6000-memory.dmp

Filesize
792KB

Download
memory/1452-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-3-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/1452-4-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/1452-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-6-0x0000000005380000-0x000000000540C000-memory.dmp

Filesize
560KB

Download
memory/1452-7-0x0000000005240000-0x0000000005264000-memory.dmp

Filesize
144KB

Download
memory/1452-23-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2920-24-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-25-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-26-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-27-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-28-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing