snakekeylogger | 63720cee53de8a33b4f221bbb0950e09d8eb5652beda60f99ed98165ebc447e2

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CTM BREAKDOWN.exe
Size

537KB
MD5

3e97c23c4c1c6f721c910c08e25a60cc
SHA1

d92304392377198b3b3cd95aa8de1572d75d7fb8
SHA256

4e2186d44f67e0ebc4ee9ecd68191b31849604930dd5babe6106e1e191b7874c
SHA512

6a2007d1a0660bb53f4a191b662241b8242e5e2e3ab6e220735da068cb69a6259465d2f5b5e533bdf3f4b36a7fde5edd75c4962afbb43edd8e39f151e2b3dbb5
SSDEEP

12288:/sdrEx695u8R6GfeZPrTxegfLiAUR0Jv/v+HLuSn:0drEsTu8kGfeZzTxegfmlUv/CLB

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.valleycountysar.org
Port:
587
Username:
[email protected]
Password:
DKw(r0%wpbd]

http://103.130.147.85

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3004-7-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/3004-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/3004-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/3004-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/3004-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2708 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

CTM BREAKDOWN.exe

description pid process target process

PID 2432 set thread context of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CTM BREAKDOWN.exe

pid process

3004 CTM BREAKDOWN.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CTM BREAKDOWN.exe

description pid process

Token: SeDebugPrivilege 3004 CTM BREAKDOWN.exe

pid	process
2708	cmd.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 2432 set thread context of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe

pid	process
3004	CTM BREAKDOWN.exe

description	pid	process
Token: SeDebugPrivilege	3004	CTM BREAKDOWN.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

CTM BREAKDOWN.exeCTM BREAKDOWN.execmd.exe

description	pid	process	target process
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 2432 wrote to memory of 3004	2432	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 3004 wrote to memory of 2708	3004	CTM BREAKDOWN.exe	cmd.exe
PID 3004 wrote to memory of 2708	3004	CTM BREAKDOWN.exe	cmd.exe
PID 3004 wrote to memory of 2708	3004	CTM BREAKDOWN.exe	cmd.exe
PID 3004 wrote to memory of 2708	3004	CTM BREAKDOWN.exe	cmd.exe
PID 2708 wrote to memory of 2540	2708	cmd.exe	choice.exe
PID 2708 wrote to memory of 2540	2708	cmd.exe	choice.exe
PID 2708 wrote to memory of 2540	2708	cmd.exe	choice.exe
PID 2708 wrote to memory of 2540	2708	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe
"C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe
"C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2432-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000001060000-0x00000000010EC000-memory.dmp

Filesize
560KB

Download
memory/2432-2-0x0000000000530000-0x0000000000584000-memory.dmp

Filesize
336KB

Download
memory/2432-3-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-4-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2432-18-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-16-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-17-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-19-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-20-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-21-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download