snakekeylogger | 9e4e77d4f212e5aad71c2a0409c801b64e89b9f92a0ce4e2903b587bc5a70485

General

Target

e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe
Size

886KB
MD5

e22f1bbf54fbbd8d0135772dac71ac13
SHA1

b44ed322c53cb34c9eb7988c65be76eb7c78f089
SHA256

9e4e77d4f212e5aad71c2a0409c801b64e89b9f92a0ce4e2903b587bc5a70485
SHA512

2e577425a1d81e682777ae7b8c0dd9718923f6c0b2367a0096b7aa803bfb21eb02a4ded17600f6f9767b5ab853ddff56ebd8b39dd0ab8da341257d2e50aa3d58
SSDEEP

24576:14njPTfWh2y0ukcncNmGgvYTDn2KSQjHT5GA2ekyFh3C0cq:mmGhDneeQHMh3C0cq

Score

10^/10

snakekeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.vlccwellness.com
Port:
587
Username:
[email protected]
Password:
taiyab31121984
Email To:
[email protected]

C2

https://api.telegram.org/bot1865023387:AAFbWPISsv486p_o9A4CIDR1FBfAq1W7nUc/sendMessage?chat_id=1788371409

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2636-30-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-26-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-31-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-24-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-29-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2132	powershell.exe
2704	powershell.exe
2224	powershell.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1324	2636	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2224	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	31
PID 108 wrote to memory of 2224	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	31
PID 108 wrote to memory of 2224	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	31
PID 108 wrote to memory of 2224	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	31
PID 108 wrote to memory of 2132	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	33
PID 108 wrote to memory of 2132	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	33
PID 108 wrote to memory of 2132	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	33
PID 108 wrote to memory of 2132	108	e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NEQcsxsAehXEc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2132
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NEQcsxsAehXEc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp675B.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NEQcsxsAehXEc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13_JaffaCakes118.exe"
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1576
    3⤵
    - Program crash
    PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp675B.tmp

Filesize
1KB

MD5
49d592a6b10ab0a13ebe55ccc57bcce1

SHA1
d80e7000f901cd8c14e295c81e8834bc11b146c2

SHA256
537376a29b63e04a385acb016c76ed05bd67468f327093bc9f5f662b4e1a09f8

SHA512
8f9ee6ce4c69aebc2ec48c5004d30e5afe22c3f9291d0e743521846316012fe66a864f4e5dafcb2f69156234079c34a549c46c07d6ba6eaba8a1e467135cb15a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4fecb847027a7fbb654f0882205316a2

SHA1
7139e5c31bd9dbb4d018cc014f683687a3620a18

SHA256
a5b12dc115ea163cc7c53e9f03852f522fd9131080c1d7942bd00a4593d984c7

SHA512
c6ee301d9b3821874dc1c48761775c95ce504fcee4b0836021964602b59974f1bb30c4392e0f45a21344d1dd33fcb24148d530c1664957b4c3261fd427ffa153

Download Submit
memory/108-4-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/108-3-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/108-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/108-5-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/108-6-0x0000000007610000-0x000000000769E000-memory.dmp

Filesize
568KB

Download
memory/108-7-0x0000000000DD0000-0x0000000000DF6000-memory.dmp

Filesize
152KB

Download
memory/108-2-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/108-1-0x0000000000E10000-0x0000000000EF4000-memory.dmp

Filesize
912KB

Download
memory/108-32-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads