Analysis

  • max time kernel
    14s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2024 05:20

General

  • Target

    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe

  • Size

    577KB

  • MD5

    3e051c874adf5d4d29d50f16524c32a5

  • SHA1

    1770f5ce4f61419fc012656918637813345533d4

  • SHA256

    c4a153e412d20c6225b6c4778ddc8e149ee0b6fee402cf02a4c927ebb9d1488f

  • SHA512

    65644bc8134f1be9fc19825279eb2b00d9e692da56eec33256a15f66569b7dc032a116f194f0ebde33e8d2e8cddf99003b356c16b18bfb10b1d54e7cc371f13f

  • SSDEEP

    12288:MhCDCb8zsqTUV10HJG8U/ET8H/azC99Fn3KEEG675sWlL+iS:gFb0TSaEBb

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ctpsych.com.au
  • Port:
    587
  • Username:
    baron@ctpsych.com.au
  • Password:
    money123@@@
  • Email To:
    blockmoney465@gmail.com
C2

https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 5 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1532
        3⤵
        • Program crash
        PID:3036

Network

  • flag-us
    DNS
    checkip.dyndns.org
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    132.226.8.169
  • flag-br
    GET
    http://checkip.dyndns.org/
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 13 Oct 2024 05:20:29 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 2eaf716f416a2fd0bf341ab85db1195b
  • flag-br
    GET
    http://checkip.dyndns.org/
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 13 Oct 2024 05:20:30 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: a6201ed0926d4e7fa4373efba0f1b585
  • flag-us
    DNS
    freegeoip.app
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    172.67.160.84
    freegeoip.app
    IN A
    104.21.73.97
  • flag-us
    GET
    https://freegeoip.app/xml/138.199.29.44
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    Remote address:
    172.67.160.84:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: freegeoip.app
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 13 Oct 2024 05:20:30 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 13 Oct 2024 06:20:30 GMT
    Location: https://ipbase.com/xml/138.199.29.44
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U1rAkoS8FG%2FA2436cs1B%2BnFASGL5ALi14rrscN8sUq3k4TcBpXmBjK20em%2BK9wxbATPE%2FtQ7F4GtV%2BBwlGl6rhsjgNB66ZcNmgDQPIZcTYiukMei7VWPnwWfV%2B6wwyHw"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8d1ce1809a86cd15-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    ipbase.com
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ipbase.com
    IN A
    Response
    ipbase.com
    IN A
    172.67.209.71
    ipbase.com
    IN A
    104.21.85.189
  • flag-us
    GET
    https://ipbase.com/xml/138.199.29.44
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    Remote address:
    172.67.209.71:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: ipbase.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 13 Oct 2024 05:20:31 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Age: 0
    Cache-Control: public,max-age=0,must-revalidate
    Cache-Status: "Netlify Edge"; fwd=miss
    Vary: Accept-Encoding
    X-Nf-Request-Id: 01JA254BBQVWK8A8QK7QR7A1V4
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jmZ0pSB9clZqGIe3y19B9EFOj%2BLx7NqATwaFG8Ht8nNhYWlepclL51E97ODVuKRV3gh7%2B2VveidSVo9V66y5EP0jDc4z3sTXQmp329SKq1%2FBxjCqbG%2Fj5Sp8WQaG"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8d1ce1822bf17768-LHR
    alt-svc: h3=":443"; ma=86400
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    548 B
    816 B
    6
    4

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.160.84:443
    https://freegeoip.app/xml/138.199.29.44
    tls, http
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    828 B
    5.1kB
    10
    9

    HTTP Request

    GET https://freegeoip.app/xml/138.199.29.44

    HTTP Response

    301
  • 172.67.209.71:443
    https://ipbase.com/xml/138.199.29.44
    tls, http
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    813 B
    7.3kB
    10
    12

    HTTP Request

    GET https://ipbase.com/xml/138.199.29.44

    HTTP Response

    404
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    193.122.130.0
    193.122.6.168
    158.101.44.242
    132.226.8.169

  • 8.8.8.8:53
    freegeoip.app
    dns
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    59 B
    91 B
    1
    1

    DNS Request

    freegeoip.app

    DNS Response

    172.67.160.84
    104.21.73.97

  • 8.8.8.8:53
    ipbase.com
    dns
    3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
    56 B
    88 B
    1
    1

    DNS Request

    ipbase.com

    DNS Response

    172.67.209.71
    104.21.85.189

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1048-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

    Filesize

    4KB

  • memory/1048-1-0x0000000000900000-0x0000000000996000-memory.dmp

    Filesize

    600KB

  • memory/1048-2-0x0000000074EB0000-0x000000007559E000-memory.dmp

    Filesize

    6.9MB

  • memory/1048-3-0x00000000003C0000-0x0000000000400000-memory.dmp

    Filesize

    256KB

  • memory/1048-4-0x0000000000320000-0x0000000000336000-memory.dmp

    Filesize

    88KB

  • memory/1048-16-0x0000000074EB0000-0x000000007559E000-memory.dmp

    Filesize

    6.9MB

  • memory/2552-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2552-11-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2552-6-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2552-8-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2552-7-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2552-15-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2552-13-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2552-5-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2552-17-0x0000000074EB0000-0x000000007559E000-memory.dmp

    Filesize

    6.9MB

  • memory/2552-18-0x0000000074EB0000-0x000000007559E000-memory.dmp

    Filesize

    6.9MB

  • memory/2552-19-0x0000000074EB0000-0x000000007559E000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.