snakekeylogger | ee344829b2ce25fc5bc242f1bb747cd201f4c7e9ef10d1e98c556110419197ab

General

Target

JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe
Size

630KB
MD5

60100f98d7ccafbbe110e377ae3e17c2
SHA1

6aa77517f474e945f81db1df8b45bea5e8917593
SHA256

ee344829b2ce25fc5bc242f1bb747cd201f4c7e9ef10d1e98c556110419197ab
SHA512

2e78bbdecf8911c832bce5e50d34da4c3b0f26616e98f49d60b2373b9849eca0ae1722be36f672e930ff79b5764fe4acbb1e03c9dce8cbfd242f87dbe387a06e
SSDEEP

12288:HkqhQKetZiE5xkfEikfxxluSNuEuJIz15p5uvZcy8jJ4xzVq/:hLeSQbfvuEcIt

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
iwRaBVG6
Email To:
[email protected]

C2

https://api.telegram.org/bot1649974165:AAEw6GzBFS7fcRG392_tbbCihTBzve7azV0/sendMessage?chat_id=1684569143

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/4860-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	checkip.dyndns.org
33	freegeoip.app
34	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3572 set thread context of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	4860	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4860	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91
PID 3572 wrote to memory of 4860	3572	JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1780
    3⤵
    - Program crash
    PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4860 -ip 4860
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JaffaCakes118_60100f98d7ccafbbe110e377ae3e17c2.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/3572-4-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3572-7-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/3572-3-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/3572-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/3572-9-0x0000000009330000-0x00000000093CC000-memory.dmp

Filesize
624KB

Download
memory/3572-6-0x0000000007A40000-0x0000000007A4E000-memory.dmp

Filesize
56KB

Download
memory/3572-2-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/3572-8-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3572-5-0x0000000004E00000-0x0000000004E0A000-memory.dmp

Filesize
40KB

Download
memory/3572-10-0x0000000008BF0000-0x0000000008C38000-memory.dmp

Filesize
288KB

Download
memory/3572-15-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3572-1-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/4860-14-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4860-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4860-16-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4860-17-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing