Analyzing Snake Keylogger in ANY.RUN:
a Full Walkthrough

Emails are a common communication method but also a major vector for cyber threats. They can deliver everything from scams and data theft to malware. Unfortunately, one bad email can lead to financial loss, reputational damage, and even escalate into broader system compromise.

To bolster email security, it’s essential to understand the types of attacks you’re up against. This blog post dives into a real-world example featuring a Snake Keylogger attachment.

Let’s dive right into it!

Overview of the Snake Keylogger 

The Snake Keylogger is an infostealer malware written in the .NET programming language. It was discovered in November 2020 and is also known as the 404 Keylogger, 404KeyLogger, and Snake. 

The Snake Keylogger steals various information from the victim, such as saved credentials, clipboard data, keystrokes, and screenshots of the victim’s screen. 

This malware also checks and collects the system information, which includes the system’s hostname, username, IP address, geolocation, date and time, and more. It then exfiltrates the collected information through protocols such as FTP, SMTP, and Telegram.

More information on the Snake Keylogger and its trends can be found in ANY.RUN’s Malware Trends.

Sample Collection and Preparation for Analysis

Let’s first look at the sample collection method and environment setup.

In ANY.RUN’s Public Submissions, the following filters were applied,

• OBJECT > “Email Files”
• VERDICT > “Malicious”

“32b4f238-3516-b261-c3ae-0c570d22ee18.eml” was selected for analysis. This file had the following attributes:

• SHA1 hash of “1D17DD1688A903CBE423D8DE58F8A7AB7ECE1EA5”
• MIME type of “message/rfc822”
• RFC 822 mail, UTF-8 Unicode text, with very long lines, with CRLF line terminators

The sample can be downloaded with “Download”, and submitted for analysis in ANY.RUN sandbox using “Submit to Analyze” button:

A new ANY.RUN task was created for this sample with the following setup:

The ANY.RUN task for this file can be found here.

Analyzing the Email

Goal of this step: In this section, we’ll explore the email body, header, and social engineering tactics.

Opening “32b4f238-3516-b261-c3ae-0c570d22ee18.eml” on Windows 11’s Microsoft Outlook showed the email contents:

The email body shows the sender attempting to convince the recipient to download and open the email attachment by referencing the “client”. The email signature makes references to a Customs Clearing Agency in Bolivia and uses the BMW Group’s Logo, suggesting that the sender was attempting to exploit familiarity. Familiarity Exploitation is a social engineering tactic where one pretends to be an entity that is familiar to the target. 

The email headers can reveal key information and are useful when analyzing the legitimacy of the email. It is crucial to analyze the SPF and DKIM information when attempting to determine an email’s legitimacy.

• SPF (Sender Policy Framework) is a DNS record that is used to verify the legitimacy of email senders. The email recipient’s server checks the SPF record of the sender’s domain to verify they are an approved sender.

• DKIM (DomainKeys Identified Mail) is an email authentication method used to verify the authenticity and integrity of the email. A digital signature is added to the email’s header, which is generated by the sender’s server with a private key. This is verified by the recipient’s server with a public key published in the sender’s DNS records.

The email header reveals that the SPF failed, where the sender IP was IP 45[.]227.X.34. The header mentions “[GREEN].com[.]bo does not designate IP 45[.]227.X.34 as permitted sender”. Also, there was no DKIM and DMARC, and the message was not signed:

The IP address 45[.]227.X.34 is associated with these domains (hidden with purple and blue markers for confidentiality reasons). According to VirusTotal, it appears to be a security company in Argentina:

The email header shows the authenticated sender, which was “cobranzas@[PURPLE].com.ar”.

The email header also revealed the User-Agent, which was “Roundcube Webmail/1.4.2”. Roundcube Webmail is a free and open-source webmail software.

What did we learn from the header?

It indicates that this email was most likely not legitimate. The contents of the email and the sender’s email address suggest that it was attempting to impersonate a company in Bolivia that provides brokering and insurance services. Additionally, it utilized social engineering tactics to convince the recipient to download and open the attachment.

Analyzing the Behaviour of the Attachment 

Goal of this step: In this section, we’ll explore the behavioral analysis of the email’s attachment on Windows 11 and examine the involved files.

A file called “pago 4094.r09” is attached to this email, with the following attributes:

• SHA1 hash of “CF13DF73EFF74B9CEB6D837C1D7CC9D01FE918DB”
• MIME type of “application/x-rar”
• RAR archive data, v5

Downloading and opening “pago 4094.r09” in WinRAR shows the existence of an Application called “pago 4094.exe”:

Extracting “pago 4094.exe” onto the Desktop reveals that it uses the Yahoo! Buzz Icon. Yahoo! Buzz is a community-based news article website.

The properties tell us that the original filename was “mKkHQ.exe”, and had the copyright “QBuzz 2011”:

This executable “pago 4094.exe” has the following attributes:

• SHA1 hash of “A663C9ECF8F488D6E07B892165AE0A3712B0E91F”
• MIME type of “application/x-dosexec”
• PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Saving credentials in browsers

Before executing “pago 4094.exe”, various fake credentials were purposefully saved onto Browsers like Chrome and Microsoft Edge. This was done to observe the malware’s credential-stealing behavior.

Once the fake credentials were saved onto the Browsers, “pago 4094.exe” was executed by double-clicking “pago 4094.exe” on the Desktop.

Getting into the execution flow

Around 30 seconds after executing “pago 4094.exe”, the executable file disappears from the Desktop. A child process “C:\Users\admin\Desktop\pago 4094.exe” is created, and an executable file “C:\Users\admin\AppData\Local\Temp\tmpG484.tmp” is dropped. The dropping of the .tmp file is done to secure persistence on the victim machine.

Now, the Snake Keylogger is running silently in the background. From the Windows User’s perspective, nothing alarming happens.

Analyzing the Processes

Goal of this section: We’ll explore the analysis of processes associated with the Snake Keylogger.

Process 1112 and its child process 3868, are key processes involved in the malicious activities:

Detailed look at the process 1112

Process 1112 was detected as 100/100 Malicious under the Threat Verdict. It can be observed querying registries, performing system information discoveries, checking LSA protection, dropping another application, etc. This process ran for a total of 48.9 seconds.

Registry changes were seen for Process 1112, and the following Write Operations were conducted:

Process 1112 also created a new file with the MIME type of “text/plain”, called “pago 4094.exe.log” under “C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\”:

The contents of “pago 4094.exe.log” contained references to System.Windows.Forms, System.Drawing, etc. which are associated with .NET API. It also contained PublicKeyToken values:

Detailed look at the process 3868

Process 3868 plays a significant role in this malware. This process started at 287.76 seconds and ran all the way until the end. It steals credentials from browsers and files and sends these stolen credentials over SMTP: 

The indicators for this process included “Known Threat”, “Connects to the network”, “Executable file was dropped”, “Actions similar to stealing personal data”, “Behavior similar to spam”, “The process has the malware config”, and “The module has a process dump.”

It was detected as Snake Keylogger, where the destination IP was 158.101.44[.]242, with a destination port of 80. This IP is associated with checkip.dyndns[.]com, and we will explore it in detail in the next section, Analyzing the Network Information.

Process 3868 drops “C:\Users\admin\AppData\Local\Temp\tmpG484.tmp”. This has an MD5 hash of 1A0F4CC0513F1B56FEF01C815410C6EA, which is the same as the MD5 hash for the original executable file “pago 4094.exe”. This is done to achieve persistence on the victim machine.

Analyzing the Network Activities

Section goal: In this section, we’ll explore the network activities associated with the Snake Keylogger and examine the packet capture (PCAP) file in detail.

Process 3868, “pago 4094.exe”, attempted to retrieve external IP addresses with checkip.dyndns[.]org as shown in the Threats Tab:

It was seen connecting to 158.101.44[.]242 on port 80. This IP was associated with checkip.dyn… according to VirusTotal: 

The host checkip.dyndns[.]org is associated with IP checking. According to Dyn, “CheckIP will return the remote socket’s IP address. If a client sends a Client-IP or a X-Forwarded-For HTTP header, CheckIP will return that value instead.”

The packet capture (PCAP) file was downloaded for further analysis. The following filter was applied on the PCAP in Wireshark. 

ip.dst == 158.101.44.242 || ip.src == 158.101.44.242

This is done to check for packets where the destination or source IP was 158.101.44[.]242.

Following the TCP stream revealed that it checked the current IP with checkip[.]dyndns.org, which was 45.130.136[.]51:

A Network trojan was detected for process 3868, “pago 4094.exe” under the Threats tab:

A Snake Keylogger Exil via SMTP was observed, where the destination IP was 208.91.199[.]255 and the destination port was 587. SMTP on port 587 is a secure and authenticated method for sending emails from email clients to email servers. It typically uses STARTTLS or TLS/SSL for encryption.

Applying the smtp filter on the PCAP in Wireshark showed the data exfiltration taking place over SMTP:

Following the TCP stream revealed the SMTP Authentication taking place. The email address used to send the stolen information was likely hacked by malicious actors. According to OSINT, the hacked email address belonged to a physical security company in South America.

The same is confirmed in the PCAP:

The email has an attachment called “Passwords.txt”, which contains the stolen information. The contents of “Passwords.txt” are in Base64 inside the PCAP as shown:

The email has another attachment called “User.txt”, which also contains the stolen information. The contents of “User.txt” are also in Base64 inside the PCAP:

Decoding the contents of “Passwords.txt

Decoding the contents of “Passwords.txt” from Base64 on CyberChef reveals that it contained the computer name (“DESKTOP-BFTPUHP”), the date and time (8/4/2023 4:43:13 PM), IP address (45.130.136[.]51). It also contained the fake credentials that were saved onto Google Chrome and Microsoft Edge:

Decoding the contents of “User.txt” from Base64 on CyberChef resulted in something similar to “Passwords.txt”, though it did not contain null bytes, and was in a more human-readable format:

MITRE ATT&CK

Section goal: In this section, we’ll explore the MITRE ATT&CK for the Snake Keylogger and examine the involved Tactics and Techniques.

The MITRE ATT&CK Matrix for this Snake Keylogger includes five Tactics, namely Initial Access, Execution, Credential Access, Discovery, and Command and Control (C & C).

MITRE ATT&CK: Initial Access 

Firstly, the phishing email “32b4f238-3516-b261-c3ae-0c570d22ee18.eml” entices the recipient to download and open the attachment via social engineering (as seen in Analyzing the Email). The email has a RAR archive attachment “pago 4094.r09”, which contains an executable file “pago 4094.exe”.

The technique here is T1566 (Phishing), and the subtechnique is T1566.001 (Phishing: Spearphishing Attachment).

MITRE ATT&CK: Execution 

The “pago 4094.exe”, namely process 1112, is manually executed by the user. In this case, “pago 4094.exe” was executed by double-clicking the Desktop icon.

The technique here is T1204 (User Execution), and the subtechnique is T1204.002 (User Execution: Malicious File).

MITRE ATT&CK: Credential Access 

Process 3868 attempted to steal credentials from web browsers and files. The technique here is T1555 (Credentials from Password stores), and the subtechnique is T1555.003 (Credentials from Password Stores: Credentials from Web Browsers).

It is also technique T1552 (Unsecured Credentials), and the subtechnique is T1552.001 (Unsecured Credentials: Credentials In Files).

Process 3868 attempted “FILE_READ_ATTRIBUTES” access on files associated with browsers under the “C:\Users\admin\AppData\Local\…” and  “C:\Users\admin\AppData\Roaming\…” directory.

Before executing “pago 4094.exe”, fake credentials were saved in Google Chrome and Microsoft Edge.

Thus, process 3868 attempted the following accesses on files related to Google Chrome, which were in “C:\USERS\ADMIN\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOGIN DATA” and “C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State”:

• FILE_READ_ATTRIBUTES
• READ_CONTROL
• SYNCHRONIZE
• FILE_READ_DATA
• FILE_READ_EA
• FILE_READ_ATTRIBUTES

This process also attempted these accesses on files related to Microsoft Edge, which were in “C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data” and “C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State”:

MITRE ATT&CK: Discovery

Processes 1112 and 3868 attempts to query the registry. The registry contains a lot of crucial system information, such as OS, configuration, software, and security. The technique here is T1012 (Query Registry).

The processes attempted the following:

Process 1112 and 3868 attempts to discover system information, and tries to gather crucial system information. The technique here is T1082 (System Information Discovery).

There are overlaps between this and the previous subtechnique T1012:

Process 3868 attempts to discover installed software, and it attempted to access various locations associated with Browsers. The technique here is T1518 (Software Discovery).

Process 3868 attempts to discover the system network configuration. It checked for external IP, where the destination IP was 158.101.44[.]242 and the destination port was 80. The technique here is T1016 (System Network Configuration Discovery).

MITRE ATT&CK: C&C

Process 3868 then communicates with the application layer protocol. Due to the existing background traffic, communication using the application layer protocols may fly under the radar. It was seen connecting to the SMTP port 587, where the destination IP was 208.91.199[.]225.

The technique here is T1071 (Application Layer Protocol), and the subtechnique is T1071.003 (Application Layer Protocol: Mail Protocols).

Finally, the malware configuration for the Snake Keylogger can be seen in ANY.RUN’s Malware Configuration:

Conclusion

This analysis showed how a single malicious email can lead to multiple security risks, including financial and reputational damage. We used various techniques like email and attachment analysis, process and network analysis, and applied the MITRE ATT&CK.

The focus was on an email with a Snake Keylogger attachment. It collects system info, establishes persistence, steals credentials, and exfiltrates data.

Given that emails remain a top threat vector often exploiting human error, staying vigilant against email threats is crucial.

About ANY.RUN

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.  

Request a demo today and enjoy 14 days of free access to our Enterprise plan.   

Request demo →  

Appendix 1: IOCs

Analyzed files:

Connections:

• 158.101.44[.]242・ checkip.dyndns[.]org
• 208.91.199[.]255・us2.smtp.mailhostbox[.]com

Appendix 2: MITRE MATRIX