Threat Research

Deep Analysis of Snake Keylogger

Securonix

Snake Keylogger is a .NET-based malware that focuses on stealing credentials, keystrokes, screenshots, and clipboard data. The article walks through multi-stage unpacking, heavy obfuscation, runtime DLL loading, process hollowing for payload execution, persistence techniques, and multi-channel C2 communication. #SnakeKeylogger #MarsStealer #Chrome #Firefox #Keylogging #Clipboard #Screenshots

Keypoints

  • Initial delivery via malicious documents, with the sample packed and unpacked through multiple stages.
  • Stage 1 uncovers two suspicious resources (Rara3 and ResourceFallbackMana) used for the next unpacking stage and decrypts to a DLL.
  • Stage 2 loads a heavily obfuscated DLL (MLan) and decrypts a payload through a sequence of function calls to reach the main stage.
  • Stage 3 further obfuscates the IVectorView payload and ultimately spawns the main payload using process hollowing.
  • Persistence is achieved via registry Run keys and a scheduled task, plus Defender exclusions to evade protection.
  • Keylogging, screenshots, and clipboard data are captured on timers and exfiltrated via multiple C2 channels (FTP, SMTP, Telegram).

MITRE Techniques

  • [T1055.012] Process Hollowing – The program creates a suspended child process, injects Snake Keylogger payload, and resumes the child to run. “The program then creates a suspended child process and inject Snake Keylogger payload into the child process. It then resumes the child process to run.”
  • [T1140] Deobfuscate/Decode Files or Information – Obfuscated components are decrypted to obtain payloads. “Decrypt the resource to get our main payload.”
  • [T1053.005] Scheduled Task – Persistence via scheduled task creation. “”C:WindowsSystem32schtasks.exe” /Create /TN “UpdatesjwoHTfo” /XML “C:UsersUserNameAppDataLocalTemptmp2BD2.tmp””
  • [T1547.001] Run Keys / Startup Folder – Autorun by registry key modification. “Snake adds itself to autorun by changing the registry key: HKCUsoftwaremicrosoftwindowscurrentversionrun”
  • [T1113] Screen Capture – Timed screenshots saved to a local folder. “When a screenshot is taken, it is saved to My DocumentsSnakeKeylogger folder with the name Screenshot.png.”
  • [T1115] Clipboard Data – Clipboard data collection via timers. “two Timers. One timer to collect system clipboard data by calling Clipboard.GetText()…”
  • [T1056.001] Keylogging – Low-level keyboard input monitoring via a keyboard hook. “It calls API SetWindowsHookExA() to register a hook callback function this.ProcessKey() to monitor low-level keyboard input events.”
  • [T1555.003] Credentials from Web Browsers – Steals credentials from multiple browsers/web apps. “Snake steals credentials from FTP clients, Email clients, Messengers, Browsers by static paths.”
  • [T1071.001] Web Protocols / [T1071.003] Mail Protocols – C2 communications through FTP, SMTP, and Telegram. “three options for interacting with the C2” with data sent as attachments and via Telegram.
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM and anti-emulation checks. “ant i-VM and persistence method , anti-emulation…”
  • [T1105] Ingress Tool Transfer – Runtime loading of additional payloads/DLLs during unpacking. “Load a DLL at runtime” (demonstrates downloading/loading of secondary payloads during execution).
  • [T1027] Obfuscated/Compressed Files and Information – Repeated emphasis on obfuscation of payloads prior to deployment. “The DLL IVectorView is heavily obfuscated”.

Indicators of Compromise

  • [File Hash] MD5 – 96fe87fda1c50480609164fdfa7c56e1 – 2022_Exportlist.pdf.exe / jwoHTfo.exe
  • [SHA-1] 548e2ae1da37cf3c58b1dc24b9020be915892412 – 2022_Exportlist.pdf.exe / jwoHTfo.exe
  • [SHA-256] 605929594981dafbab968728e7a47ca70c6175e2b0c2394b1f6793145b338175 – 2022_Exportlist.pdf.exe / jwoHTfo.exe
  • [Imphash] f34d5f2d4577ed6d9ceec516c1f5a744 – TRACEPROVIDERINSTANCEI.exe
  • [SSDEEP] 12288:xo9C8+jXbW9qT9q0VOf/1hCCy51Y325l4+2HyIQfEzT2Ovn8UT/e6R+Ha3VG/VRC:xolCXKOnk9/O1Yel4HH1U+qrce6R+6l7 – TRACEPROVIDERINSTANCEI.exe
  • [Filename] jwoHTfo.exe – C:UsersUserNameAppDataRoamingjwoHTfo.exe
  • [Filename] MLang.dll (lolno.dll) – in-memory/load path shown in analysis
  • [Filename] IVectorView.dll – in-memory/load path shown in analysis
  • [Registry Key] HKCUSoftwareMicrosoftWindowsCurrentVersionRun – autorun entry used by Snake Keylogger

Read more: https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html#introduction