snakekeylogger | 4995d93769866b4ac6e5f3b549ce0406f8fe2cc7e1c8724d3130193da6723c62

General

Target

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
Size

461KB
MD5

478be5314f4b786f9ec75b2f86505743
SHA1

bb53424b79bdab45985441072ccf65a9f999b4d0
SHA256

4995d93769866b4ac6e5f3b549ce0406f8fe2cc7e1c8724d3130193da6723c62
SHA512

37793b7ec135e629378e8091acea6a26623f8c46e17bddb37bf3e05d58f289a683ee45bc782698268851586bdf10d040bd9e4aae84f2fe1067a6251f2a11abd1
SSDEEP

6144:WGxhLzI5Pv0C1VG51XsFtxF+onRfO3txTA+PXwQ08Rbs79RpzcALh:/sJXV0XsXxFBRfIAuAQ08cXpFL

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
gwen@sovartrade.com
Password:
iwRaBVG6
Email To:
gwen@sovartrade.com

C2

https://api.telegram.org/bot2043981125:AAGaa5K6uc5rV5LARENbXhpoD0InPrKgKJI/sendMessage?chat_id=2062013058

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2104-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2104-18-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2104-20-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2104-22-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2104-14-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
9	freegeoip.app
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3028	2104	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
2104	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
Token: SeDebugPrivilege	2104	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2656	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	31
PID 2468 wrote to memory of 2656	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	31
PID 2468 wrote to memory of 2656	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	31
PID 2468 wrote to memory of 2656	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	31
PID 2468 wrote to memory of 2936	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	32
PID 2468 wrote to memory of 2936	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	32
PID 2468 wrote to memory of 2936	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	32
PID 2468 wrote to memory of 2936	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	32
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2468 wrote to memory of 2104	2468	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	34
PID 2104 wrote to memory of 3028	2104	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	35
PID 2104 wrote to memory of 3028	2104	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	35
PID 2104 wrote to memory of 3028	2104	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	35
PID 2104 wrote to memory of 3028	2104	JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jtsOiKjhRiWfu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B9F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe"
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1584
    3⤵
    - Program crash
    PID:3028

Network

DNS

checkip.dyndns.org

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

193.122.6.168

checkip.dyndns.com

IN A

132.226.8.169
GET

http://checkip.dyndns.org/

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 07 Jan 2025 02:09:32 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 62b374b0e291df1a980a54710e39798e
GET

http://checkip.dyndns.org/

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 07 Jan 2025 02:09:35 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 1d64b93de3c5e87b5892a217b55b2513
DNS

freegeoip.app

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Remote address:

8.8.8.8:53

Request

freegeoip.app

IN A

Response

freegeoip.app

IN A

104.21.73.97

freegeoip.app

IN A

172.67.160.84
GET

https://freegeoip.app/xml/181.215.176.83

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Remote address:

104.21.73.97:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 07 Jan 2025 02:09:38 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 07 Jan 2025 03:09:38 GMT
Location: https://ipbase.com/xml/181.215.176.83
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9tAlJLP4B9Ju76ftZPZOB4IKukFgnK%2BAMwyAXASdVTngfU5C2UPZ%2BRASdOTlxlXZ45wa57d2IMLDR77l6erD9Gi8Fy%2Fk75TJzMePfy6XZJpXzEOXMCdK5AQ3cczhkCci"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fe068259e3c9547-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27051&min_rtt=26370&rtt_var=8761&sent=6&recv=8&lost=0&retrans=1&sent_bytes=2905&recv_bytes=368&delivery_rate=128967&cwnd=238&unsent_bytes=0&cid=d01e8fd0baf3527a&ts=345&x=0"
DNS

ipbase.com

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

Remote address:

8.8.8.8:53

Request

ipbase.com

IN A

Response

ipbase.com

IN A

172.67.209.71

ipbase.com

IN A

104.21.85.189

158.101.44.242:80

http://checkip.dyndns.org/

http

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

594 B
858 B
7
5

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
104.21.73.97:443

https://freegeoip.app/xml/181.215.176.83

tls, http

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

822 B
4.3kB
10
8

HTTP Request

GET https://freegeoip.app/xml/181.215.176.83

HTTP Response

301
172.67.209.71:443

ipbase.com

tls

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

859 B
8.0kB
11
14

8.8.8.8:53

checkip.dyndns.org

dns

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

158.101.44.242

193.122.130.0

132.226.247.73

193.122.6.168

132.226.8.169
8.8.8.8:53

freegeoip.app

dns

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

59 B
91 B
1
1

DNS Request

freegeoip.app

DNS Response

104.21.73.97

172.67.160.84
8.8.8.8:53

ipbase.com

dns

JaffaCakes118_478be5314f4b786f9ec75b2f86505743.exe

56 B
88 B
1
1

DNS Request

ipbase.com

DNS Response

172.67.209.71

104.21.85.189

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2104-23-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2104-28-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-27-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-26-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-25-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2104-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2104-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2104-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2104-22-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2104-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2468-6-0x0000000005180000-0x00000000051CA000-memory.dmp

Filesize
296KB

Download
memory/2468-1-0x00000000002C0000-0x000000000033A000-memory.dmp

Filesize
488KB

Download
memory/2468-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/2468-24-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-5-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-4-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/2468-3-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2468-2-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.