snakekeylogger | 01cccbd3a723331004dbf8de510380d5c328b8f3d8ae936fb4b9dd4f6259e532

General

Target

JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
Size

415KB
MD5

d693f58558538c9e8daf36fbd374db55
SHA1

25f77f246f27956647f2d4ddab85da100431d129
SHA256

01cccbd3a723331004dbf8de510380d5c328b8f3d8ae936fb4b9dd4f6259e532
SHA512

dc6cc23407f4a25645704202e6b81dd092a972bd7c5123612fed9d3bfc57823534ad443c036f70f1e843891b3dc7f977f002561de2292f2ea7fd1dda8f1e68cb
SSDEEP

6144:YtgFVwrhUEz+16Uqd2GhN+qQcIkG5we2oXitAQ1CZu6GxOeUQuKrDxl16Fw:Ytgw7z+sUi2iNtfdMityZ79dQuktlIF

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendMessage?chat_id=1063661839

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2784-10-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2784-16-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2784-20-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2784-18-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2784-12-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2784	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 784 wrote to memory of 2784	784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	31
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	32
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	32
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	32
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d693f58558538c9e8daf36fbd374db55.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1584
    3⤵
    - Program crash
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-22-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/784-1-0x00000000013E0000-0x000000000144E000-memory.dmp

Filesize
440KB

Download
memory/784-2-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/784-3-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/784-4-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/784-5-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/784-6-0x0000000001370000-0x00000000013B8000-memory.dmp

Filesize
288KB

Download
memory/784-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/2784-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2784-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2784-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2784-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2784-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2784-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2784-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2784-21-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-23-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-24-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-25-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing