General
-
Target
JaffaCakes118_2684a9581b50ded75b0d276dfbd3dc234fcb81f96a60c07e459eaae4f2947979
-
Size
668KB
-
Sample
241223-zda4eszren
-
MD5
088cfd0fe10e92cbd77f5e240950c782
-
SHA1
4e8b3eb2d4e04617584f34d65efa03b167b940ba
-
SHA256
2684a9581b50ded75b0d276dfbd3dc234fcb81f96a60c07e459eaae4f2947979
-
SHA512
ae782d8fce69bce66588f2510a1fa30fa97643450c2c7fa42dbf8be7a3cec0830e3c925c55a2300c6177fbb8fc6a6e6bd76c352b7a5766be20201afed1a6e7fd
-
SSDEEP
12288:bkGJ77kRZR650kD+EZrn7HiE5kk6KY6UEk0HTiL8VCb2KEIkJ5CyUF:bkggK0kDzZrTiEI6UEfzioI2KEIWUF
Static task
static1
Behavioral task
behavioral1
Sample
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5402813712:AAG__8vfwqo_1K9XHIpxzTR9T7UW4raysO4/sendMessage?chat_id=5034680713
Targets
-
-
Target
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe
-
Size
740KB
-
MD5
1d1f04d00aaa3f5ed89b903016d607f5
-
SHA1
7f3bdbafbf3b9ad14d521cd1ba147b9992e13f6c
-
SHA256
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89
-
SHA512
f1d2ea1fa7da308d8dd2fef8a3d19fcad9d271c20bf8dac2f577d6ae126cc7e0ca7e25aeef4f1fcf08592965b1eeea010d55d807cb38c097c143be648aa68981
-
SSDEEP
12288:WyCWxQir2iN3ybI1a30EZvSIk3Um4Mm/E8eLtVvxG6s8pnIvXQX6xs27toeMPVRS:WWr1aCTEZaTT4MAE8IpGQOvRsaHMtY
-
Snake Keylogger payload
-
Snakekeylogger family
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4