General

  • Target

    JaffaCakes118_2684a9581b50ded75b0d276dfbd3dc234fcb81f96a60c07e459eaae4f2947979

  • Size

    668KB

  • Sample

    241223-zda4eszren

  • MD5

    088cfd0fe10e92cbd77f5e240950c782

  • SHA1

    4e8b3eb2d4e04617584f34d65efa03b167b940ba

  • SHA256

    2684a9581b50ded75b0d276dfbd3dc234fcb81f96a60c07e459eaae4f2947979

  • SHA512

    ae782d8fce69bce66588f2510a1fa30fa97643450c2c7fa42dbf8be7a3cec0830e3c925c55a2300c6177fbb8fc6a6e6bd76c352b7a5766be20201afed1a6e7fd

  • SSDEEP

    12288:bkGJ77kRZR650kD+EZrn7HiE5kk6KY6UEk0HTiL8VCb2KEIkJ5CyUF:bkggK0kDzZrTiEI6UEfzioI2KEIWUF

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5402813712:AAG__8vfwqo_1K9XHIpxzTR9T7UW4raysO4/sendMessage?chat_id=5034680713

Targets

    • Target

      ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe

    • Size

      740KB

    • MD5

      1d1f04d00aaa3f5ed89b903016d607f5

    • SHA1

      7f3bdbafbf3b9ad14d521cd1ba147b9992e13f6c

    • SHA256

      ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89

    • SHA512

      f1d2ea1fa7da308d8dd2fef8a3d19fcad9d271c20bf8dac2f577d6ae126cc7e0ca7e25aeef4f1fcf08592965b1eeea010d55d807cb38c097c143be648aa68981

    • SSDEEP

      12288:WyCWxQir2iN3ybI1a30EZvSIk3Um4Mm/E8eLtVvxG6s8pnIvXQX6xs27toeMPVRS:WWr1aCTEZaTT4MAE8IpGQOvRsaHMtY

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks