snakekeylogger | d0ecdf88e56cae4a5c2c759246b97163beb6f63023593a1aee00ee896efe6a16

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ecdf88e56cae4a5c2c759246b97163beb6f63023593a1aee00ee896efe6a16.js
Size

1.7MB
MD5

06bf8ca73f44aa2aec54c41c4c20d3d3
SHA1

9862b9785b61b42dc8fef4e3ecb8319e2d7c7710
SHA256

d0ecdf88e56cae4a5c2c759246b97163beb6f63023593a1aee00ee896efe6a16
SHA512

84366dd9a5324d8fe98d31383dc13ae52c5a72600afafc1e396416f2b34c6a42db7b09e8571bab343fb894aa7e7b69afcb5542eb8f5f411b570d343288ddd6e8
SSDEEP

24576:AuzJmDrkb8kjVaj3cWZUYUNa/US5ZZ2BsiH8pM0:1JmDrkAk9jk/UPd8B

Score

10^/10

snakekeylogger collection discovery execution keylogger persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nbwz jvfz fmek ghid

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nbwz jvfz fmek ghid

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/1332-37-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1332-39-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1332-32-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1332-35-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1332-30-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Blocklisted process makes network request 7 IoCs

flow	pid	Process
3	2736	wscript.exe
5	2736	wscript.exe
12	2736	wscript.exe
13	2736	wscript.exe
14	2736	wscript.exe
15	2736	wscript.exe
17	2736	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
2768	Hvwjy.exe
1708	Hvwjy.exe
1332	Hvwjy.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	Hvwjy.exe
2768	Hvwjy.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 1332	2768	Hvwjy.exe	37

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hvwjy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hvwjy.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2768	Hvwjy.exe
2768	Hvwjy.exe
2768	Hvwjy.exe
2768	Hvwjy.exe
2768	Hvwjy.exe
2768	Hvwjy.exe
2768	Hvwjy.exe
2768	Hvwjy.exe
2768	Hvwjy.exe
1332	Hvwjy.exe
1332	Hvwjy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	Hvwjy.exe
Token: SeDebugPrivilege	1332	Hvwjy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1332	Hvwjy.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2724	2336	wscript.exe	30
PID 2336 wrote to memory of 2724	2336	wscript.exe	30
PID 2336 wrote to memory of 2724	2336	wscript.exe	30
PID 2336 wrote to memory of 2940	2336	wscript.exe	31
PID 2336 wrote to memory of 2940	2336	wscript.exe	31
PID 2336 wrote to memory of 2940	2336	wscript.exe	31
PID 2724 wrote to memory of 2736	2724	WScript.exe	32
PID 2724 wrote to memory of 2736	2724	WScript.exe	32
PID 2724 wrote to memory of 2736	2724	WScript.exe	32
PID 2940 wrote to memory of 2768	2940	WScript.exe	33
PID 2940 wrote to memory of 2768	2940	WScript.exe	33
PID 2940 wrote to memory of 2768	2940	WScript.exe	33
PID 2940 wrote to memory of 2768	2940	WScript.exe	33
PID 2768 wrote to memory of 1708	2768	Hvwjy.exe	36
PID 2768 wrote to memory of 1708	2768	Hvwjy.exe	36
PID 2768 wrote to memory of 1708	2768	Hvwjy.exe	36
PID 2768 wrote to memory of 1708	2768	Hvwjy.exe	36
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37
PID 2768 wrote to memory of 1332	2768	Hvwjy.exe	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Hvwjy.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d0ecdf88e56cae4a5c2c759246b97163beb6f63023593a1aee00ee896efe6a16.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\word.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2736
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe
    "C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe
      "C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe"
      4⤵
      Executes dropped EXE
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe
      "C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hvwjy.exe

Filesize
706KB

MD5
e1500a569b0f034f24d558f661d129c9

SHA1
6f2448b29980d1121df22d7699d2cd68cc88f736

SHA256
580ca5b59e248df91a65a54560d314869dd38b9858628a1a3ebac29863f06674

SHA512
f80f13fbb632fc21f0008082fe886a12c7409d9ac5a9b9fcfea61bd18b1a9044450e96ee8cd029f1145e687e74088a84df1e80e29648f13a698680f97e366f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.js

Filesize
962KB

MD5
0fb453466a45c5ed5a9de568d786d5a6

SHA1
c12835633e6ade4133c855b2ed2468588771f0e2

SHA256
dd448c5bfacedd7d7e25b35a5802ed6aebf5ac07676dc47178b11b831119bb7a

SHA512
2c11139c2343adff8a985d4268dc4ac367848140548ca4730e3064897e4eda92a6f4787747686d5da20b50ffdf9928e3da0107da8af7035c4a4e7b18c666866e

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
283KB

MD5
c4951435e2094fc38024666feecf15c5

SHA1
72f5d95a873daaabbc3a71e363aca9394b017a70

SHA256
68af64912a0e81ab0576ec5e5e5317a345e2cd692312a3e31262058ecfcfaa66

SHA512
d8ed79f874661d4ad085cf8e3721c002755fb2cc0a14cb726f9edd9a7e00cf8308cc89676f61b4165c6ddf25368582403744cef8a646a6981f5a8c8682af0e4b

Download Submit
memory/1332-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1332-25-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1332-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1332-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1332-32-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1332-35-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1332-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1332-28-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2768-21-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/2768-22-0x0000000005740000-0x00000000057AC000-memory.dmp

Filesize
432KB

Download
memory/2768-20-0x0000000000970000-0x0000000000A22000-memory.dmp

Filesize
712KB

Download