snakekeylogger | 0cc6f444f52c66cd955fa64184e8784b8ec735a0d8b2f1f4c060532fcd54e9f8

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe
Size

558KB
MD5

3446b3427eb52e09af7b7424d8bd6dc3
SHA1

780f36db6bdafed0966c2951e86142b43105f0f2
SHA256

0cc6f444f52c66cd955fa64184e8784b8ec735a0d8b2f1f4c060532fcd54e9f8
SHA512

7596395c37d037bff11dcf9e3f59039602b965c9cd36fedf344ef83dff3cce5c80aec345d4eaee4ecc2b5036b6a34473f7f31d3291d651baeddad762e5c7fbfe
SSDEEP

12288:D2RF+X3KvUtD+rXHFFqsxxxxxxxxxxxxxxxxxxxxxxxxKnABdo4:WUtKFgsxxxxxxxxxxxxxxxxxxxxxxxxZ

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
[email protected]
Password:
eC~Z,TG&S9jM
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2748-9-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2748-7-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2748-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2748-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2748-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Executes dropped EXE 1 IoCs

pid	Process
1484	dfxzdg.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app
16	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 1484 set thread context of 2316	1484	dfxzdg.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3008	2748	WerFault.exe	30
2844	2316	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfxzdg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	vbc.exe
2316	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe
Token: SeDebugPrivilege	2748	vbc.exe
Token: SeDebugPrivilege	1484	dfxzdg.exe
Token: SeDebugPrivilege	2316	vbc.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2748	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	30
PID 2364 wrote to memory of 2796	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	31
PID 2364 wrote to memory of 2796	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	31
PID 2364 wrote to memory of 2796	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	31
PID 2364 wrote to memory of 2796	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	31
PID 2364 wrote to memory of 2580	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	33
PID 2364 wrote to memory of 2580	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	33
PID 2364 wrote to memory of 2580	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	33
PID 2364 wrote to memory of 2580	2364	JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe	33
PID 2796 wrote to memory of 2808	2796	cmd.exe	35
PID 2796 wrote to memory of 2808	2796	cmd.exe	35
PID 2796 wrote to memory of 2808	2796	cmd.exe	35
PID 2796 wrote to memory of 2808	2796	cmd.exe	35
PID 2748 wrote to memory of 3008	2748	vbc.exe	37
PID 2748 wrote to memory of 3008	2748	vbc.exe	37
PID 2748 wrote to memory of 3008	2748	vbc.exe	37
PID 2748 wrote to memory of 3008	2748	vbc.exe	37
PID 1248 wrote to memory of 1484	1248	taskeng.exe	38
PID 1248 wrote to memory of 1484	1248	taskeng.exe	38
PID 1248 wrote to memory of 1484	1248	taskeng.exe	38
PID 1248 wrote to memory of 1484	1248	taskeng.exe	38
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 2316	1484	dfxzdg.exe	39
PID 1484 wrote to memory of 292	1484	dfxzdg.exe	40
PID 1484 wrote to memory of 292	1484	dfxzdg.exe	40
PID 1484 wrote to memory of 292	1484	dfxzdg.exe	40
PID 1484 wrote to memory of 292	1484	dfxzdg.exe	40
PID 1484 wrote to memory of 2868	1484	dfxzdg.exe	41
PID 1484 wrote to memory of 2868	1484	dfxzdg.exe	41
PID 1484 wrote to memory of 2868	1484	dfxzdg.exe	41
PID 1484 wrote to memory of 2868	1484	dfxzdg.exe	41
PID 292 wrote to memory of 2592	292	cmd.exe	44
PID 292 wrote to memory of 2592	292	cmd.exe	44
PID 292 wrote to memory of 2592	292	cmd.exe	44
PID 292 wrote to memory of 2592	292	cmd.exe	44
PID 2316 wrote to memory of 2844	2316	vbc.exe	45
PID 2316 wrote to memory of 2844	2316	vbc.exe	45
PID 2316 wrote to memory of 2844	2316	vbc.exe	45
PID 2316 wrote to memory of 2844	2316	vbc.exe	45

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1540
    3⤵
    - Program crash
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3446b3427eb52e09af7b7424d8bd6dc3.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580

C:\Windows\system32\taskeng.exe
taskeng.exe {0D549D79-F389-44B7-BDDD-5247E42E860B} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
  C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1544
      4⤵
      Program crash
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe

Filesize
558KB

MD5
3446b3427eb52e09af7b7424d8bd6dc3

SHA1
780f36db6bdafed0966c2951e86142b43105f0f2

SHA256
0cc6f444f52c66cd955fa64184e8784b8ec735a0d8b2f1f4c060532fcd54e9f8

SHA512
7596395c37d037bff11dcf9e3f59039602b965c9cd36fedf344ef83dff3cce5c80aec345d4eaee4ecc2b5036b6a34473f7f31d3291d651baeddad762e5c7fbfe

Download Submit
memory/1484-23-0x0000000001140000-0x00000000011D2000-memory.dmp

Filesize
584KB

Download
memory/2316-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2364-19-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x0000000001030000-0x00000000010C2000-memory.dmp

Filesize
584KB

Download
memory/2364-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2364-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2364-20-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2748-16-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2748-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2748-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2748-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2748-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2748-24-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download