snakekeylogger | 4a5638fc9de5e56aea49d9b4a552a6b00620b9a801a23c4273c966b461247114

General

Target

bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe
Size

790KB
MD5

bd4b3301fd70c460bf4a810f365997ce
SHA1

51cb819929057cc35ab3d8442a39a6212f5c7baa
SHA256

4a5638fc9de5e56aea49d9b4a552a6b00620b9a801a23c4273c966b461247114
SHA512

3a5506952065a89710a5fd7d5fd22eeea124540c740eca9fa62bf4cfceaea38a6f98c1af2b70b4effa6fd59d99a0c8e058cb4d767c1855c0ac0324b25eeef38d
SSDEEP

12288:K1tY1TCTVwiiAHK7z8M28OF/mwC9PoxvNZvv4Z2GbbMCm3KbU3:GtPhwii3AL8OlIoVNZvv4Zj/MCTU3

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.zeeneh.ps
Port:
587
Username:
[email protected]
Password:
8cqiru81wg
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/720-13-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	checkip.dyndns.org
34	freegeoip.app
35	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4816	720	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
720	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99
PID 956 wrote to memory of 720	956	bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd4b3301fd70c460bf4a810f365997ce_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1768
    3⤵
    - Program crash
    PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 720 -ip 720
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/720-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/720-18-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/720-17-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/720-15-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/956-8-0x0000000006D60000-0x0000000006D76000-memory.dmp

Filesize
88KB

Download
memory/956-11-0x0000000007500000-0x000000000758E000-memory.dmp

Filesize
568KB

Download
memory/956-6-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/956-7-0x0000000005C80000-0x0000000005CD6000-memory.dmp

Filesize
344KB

Download
memory/956-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/956-9-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/956-10-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/956-5-0x00000000033B0000-0x00000000033BA000-memory.dmp

Filesize
40KB

Download
memory/956-12-0x0000000009AE0000-0x0000000009B06000-memory.dmp

Filesize
152KB

Download
memory/956-4-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/956-3-0x0000000006140000-0x00000000066E4000-memory.dmp

Filesize
5.6MB

Download
memory/956-16-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/956-2-0x00000000059B0000-0x0000000005A4C000-memory.dmp

Filesize
624KB

Download
memory/956-1-0x0000000000FD0000-0x000000000109C000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing