General
-
Target
JaffaCakes118_0cd863b5a6d1aa53e13e1584844c8f84
-
Size
423KB
-
Sample
250106-egfg4axpgm
-
MD5
0cd863b5a6d1aa53e13e1584844c8f84
-
SHA1
591facca97d80d4c3e419dfae5fd8feac6393173
-
SHA256
089897d76a6a23bbc292194b904a400f4cb6097e8401403701e37024a5bd8324
-
SHA512
a10a9e58c20284a249189539a4fdf62f5afb8984039264fdd444f06d2c0ea8365f4d22fce9f64d3e78e08f1929cffa8134f8bbf6e557f00bc387c9e2fb495799
-
SSDEEP
6144:NXHYL6Uqd2GhNup+DFCHlKSEkvcZdCtP+t82ANozL2M81zj4xJ0I:VYuUi2iNRCkSEkvcZwPBoPW1QxJ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.aninditaeng.net - Port:
587 - Username:
[email protected] - Password:
t2weClGi1f~7Elps - Email To:
[email protected]
Targets
-
-
Target
JaffaCakes118_0cd863b5a6d1aa53e13e1584844c8f84
-
Size
423KB
-
MD5
0cd863b5a6d1aa53e13e1584844c8f84
-
SHA1
591facca97d80d4c3e419dfae5fd8feac6393173
-
SHA256
089897d76a6a23bbc292194b904a400f4cb6097e8401403701e37024a5bd8324
-
SHA512
a10a9e58c20284a249189539a4fdf62f5afb8984039264fdd444f06d2c0ea8365f4d22fce9f64d3e78e08f1929cffa8134f8bbf6e557f00bc387c9e2fb495799
-
SSDEEP
6144:NXHYL6Uqd2GhNup+DFCHlKSEkvcZdCtP+t82ANozL2M81zj4xJ0I:VYuUi2iNRCkSEkvcZwPBoPW1QxJ
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Snakekeylogger family
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-