Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 05:20
Static task
static1
Behavioral task
behavioral1
Sample
3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe
-
Size
577KB
-
MD5
3e051c874adf5d4d29d50f16524c32a5
-
SHA1
1770f5ce4f61419fc012656918637813345533d4
-
SHA256
c4a153e412d20c6225b6c4778ddc8e149ee0b6fee402cf02a4c927ebb9d1488f
-
SHA512
65644bc8134f1be9fc19825279eb2b00d9e692da56eec33256a15f66569b7dc032a116f194f0ebde33e8d2e8cddf99003b356c16b18bfb10b1d54e7cc371f13f
-
SSDEEP
12288:MhCDCb8zsqTUV10HJG8U/ET8H/azC99Fn3KEEG675sWlL+iS:gFb0TSaEBb
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ctpsych.com.au - Port:
587 - Username:
baron@ctpsych.com.au - Password:
money123@@@ - Email To:
blockmoney465@gmail.com
https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2552-11-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2552-8-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2552-7-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2552-15-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2552-13-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org 4 freegeoip.app 5 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1048 set thread context of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 3036 2552 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2552 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2552 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 1048 wrote to memory of 2552 1048 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 29 PID 2552 wrote to memory of 3036 2552 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 30 PID 2552 wrote to memory of 3036 2552 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 30 PID 2552 wrote to memory of 3036 2552 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 30 PID 2552 wrote to memory of 3036 2552 3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 15323⤵
- Program crash
PID:3036
-
-
Network
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A132.226.8.169
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 2eaf716f416a2fd0bf341ab85db1195b
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a6201ed0926d4e7fa4373efba0f1b585
-
Remote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A172.67.160.84freegeoip.appIN A104.21.73.97
-
Remote address:172.67.160.84:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 13 Oct 2024 06:20:30 GMT
Location: https://ipbase.com/xml/138.199.29.44
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U1rAkoS8FG%2FA2436cs1B%2BnFASGL5ALi14rrscN8sUq3k4TcBpXmBjK20em%2BK9wxbATPE%2FtQ7F4GtV%2BBwlGl6rhsjgNB66ZcNmgDQPIZcTYiukMei7VWPnwWfV%2B6wwyHw"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8d1ce1809a86cd15-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A172.67.209.71ipbase.comIN A104.21.85.189
-
Remote address:172.67.209.71:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: ipbase.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; fwd=miss
Vary: Accept-Encoding
X-Nf-Request-Id: 01JA254BBQVWK8A8QK7QR7A1V4
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jmZ0pSB9clZqGIe3y19B9EFOj%2BLx7NqATwaFG8Ht8nNhYWlepclL51E97ODVuKRV3gh7%2B2VveidSVo9V66y5EP0jDc4z3sTXQmp329SKq1%2FBxjCqbG%2Fj5Sp8WQaG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8d1ce1822bf17768-LHR
alt-svc: h3=":443"; ma=86400
-
132.226.247.73:80http://checkip.dyndns.org/http3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe548 B 816 B 6 4
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
172.67.160.84:443https://freegeoip.app/xml/138.199.29.44tls, http3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe828 B 5.1kB 10 9
HTTP Request
GET https://freegeoip.app/xml/138.199.29.44HTTP Response
301 -
172.67.209.71:443https://ipbase.com/xml/138.199.29.44tls, http3e051c874adf5d4d29d50f16524c32a5_JaffaCakes118.exe813 B 7.3kB 10 12
HTTP Request
GET https://ipbase.com/xml/138.199.29.44HTTP Response
404
-
64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
132.226.247.73193.122.130.0193.122.6.168158.101.44.242132.226.8.169
-
59 B 91 B 1 1
DNS Request
freegeoip.app
DNS Response
172.67.160.84104.21.73.97
-
56 B 88 B 1 1
DNS Request
ipbase.com
DNS Response
172.67.209.71104.21.85.189