snakekeylogger | c54c2f66a5691aa9b18c133ef391d36ae13cd4686ef4448ccd4ad5cb20d6e1d8

General

Target

5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
Size

717KB
MD5

5a150f8752d5553cab3b640f33d0786e
SHA1

72b30709a7d5a824ce8f00397c1602ddda1cb05b
SHA256

c54c2f66a5691aa9b18c133ef391d36ae13cd4686ef4448ccd4ad5cb20d6e1d8
SHA512

ab2827d7fd0da87e0cde3ca88a150d565027730ad9770b8df015d32805f02b9831a7bdf1c6f890f792b7c402a34fd47031619117fbb8a27f0b0a79fbcafda7a8
SSDEEP

12288:kv9Lf/qlL2iNeHK7zgn1nyiV2BPWtgJ21xaCIRkdOwFllDOKtvalFFTof:kQR1bUn1tV2B+ACIKdOwFllD4po

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
jBgPrcvY6
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2644-24-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2644-22-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2644-26-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2644-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2644-17-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1340	2644	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
2644	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
Token: SeDebugPrivilege	2644	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2580	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2580	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2580	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2580	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	31
PID 2556 wrote to memory of 1224	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	33
PID 2556 wrote to memory of 1224	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	33
PID 2556 wrote to memory of 1224	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	33
PID 2556 wrote to memory of 1224	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2644	2556	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	34
PID 2644 wrote to memory of 1340	2644	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	35
PID 2644 wrote to memory of 1340	2644	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	35
PID 2644 wrote to memory of 1340	2644	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	35
PID 2644 wrote to memory of 1340	2644	5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kUSrPlGlQFx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63B3.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe"
  2⤵
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5a150f8752d5553cab3b640f33d0786e_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1580
    3⤵
    - Program crash
    PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp63B3.tmp

Filesize
1KB

MD5
9a40ddfd6cc989e9adeb73a5d3565e19

SHA1
3f74042136a0d868c862a08351d3411ea6805017

SHA256
7e0e566eee4130a77e8a2ecb70e0d0aca993c1fb0f6c0853d14fae35686acf41

SHA512
d52b04260b389a6a890fa7bb6041b6d26979fb701240796d5271e339b9bba9bd3c97de0c6091605030a7be7080f0baf35376996bd534c8d58aafc1057c1355a5

Download Submit
memory/2556-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x0000000001040000-0x00000000010FA000-memory.dmp

Filesize
744KB

Download
memory/2556-2-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-3-0x00000000004A0000-0x00000000004B6000-memory.dmp

Filesize
88KB

Download
memory/2556-4-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/2556-5-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-6-0x0000000005B50000-0x0000000005BE0000-memory.dmp

Filesize
576KB

Download
memory/2556-7-0x0000000000650000-0x0000000000674000-memory.dmp

Filesize
144KB

Download
memory/2556-28-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-27-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-29-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-30-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-31-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads