{"id":5924,"date":"2023-10-05T06:21:02","date_gmt":"2023-10-05T06:21:02","guid":{"rendered":"\/cybersecurity-blog\/?p=5924"},"modified":"2023-10-05T09:14:08","modified_gmt":"2023-10-05T09:14:08","slug":"analyzing-snake-keylogger","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/","title":{"rendered":"Analyzing Snake Keylogger in ANY.RUN: <br>a Full Walkthrough"},"content":{"rendered":"\n<p>Emails are a common communication method but also a major vector for cyber threats. They can deliver everything from scams and data theft to malware. Unfortunately, one bad email can lead to financial loss, reputational damage, and even escalate into broader system compromise.<\/p>\n\n\n\n<p>To bolster email security, it&#8217;s essential to understand the types of attacks you&#8217;re up against. This blog post dives into a real-world example featuring a Snake Keylogger attachment.<\/p>\n\n\n\n<p>Let&#8217;s dive right into it!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview of the Snake Keylogger&nbsp;<\/h2>\n\n\n\n<p>The Snake Keylogger is an infostealer malware written in the .NET programming language. It was discovered in November 2020 and is also known as the 404 Keylogger, 404KeyLogger, and Snake.&nbsp;<\/p>\n\n\n\n<p>The Snake Keylogger steals various information from the victim, such as saved credentials, clipboard data, keystrokes, and screenshots of the victim\u2019s screen.&nbsp;<\/p>\n\n\n\n<p>This malware also checks and collects the system information, which includes the system\u2019s hostname, username, IP address, geolocation, date and time, and more. It then <a href=\"https:\/\/any.run\/malware-trends\/snakekeylogger#:~:text=Snake%20is%20a%20modular%20keylogger,screen%20captures%2C%20and%20login%20credentials\">exfiltrates the collected information<\/a> through protocols such as FTP, SMTP, and Telegram.<\/p>\n\n\n\n<p>More information on the Snake Keylogger and its trends can be found in <a href=\"https:\/\/any.run\/malware-trends\/snakekeylogger\">ANY.RUN\u2019s Malware Trends<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sample Collection and Preparation for Analysis<\/h2>\n\n\n\n<p>Let\u2019s first look at the sample collection method and environment setup.<\/p>\n\n\n\n<p>In <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=snakekeylogger&amp;utm_content=publicsubmissions\">ANY.RUN\u2019s Public Submissions<\/a>, the following filters were applied,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OBJECT &gt; \u201cEmail Files\u201d<\/li>\n\n\n\n<li>VERDICT &gt; \u201cMalicious\u201d<\/li>\n<\/ul>\n\n\n\n<p>\u201c32b4f238-3516-b261-c3ae-0c570d22ee18.eml\u201d was selected for analysis. This file had the following attributes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SHA1 hash of \u201c1D17DD1688A903CBE423D8DE58F8A7AB7ECE1EA5\u201d<\/li>\n\n\n\n<li>MIME type of \u201cmessage\/rfc822\u201d<\/li>\n\n\n\n<li>RFC 822 mail, UTF-8 Unicode text, with very long lines, with CRLF line terminators<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/gSwHivWysRj82w89pxVxZ1wfwOOsf8UdwV3szMPkUJXmulCJu-ed5YP5GUVDkBuZTmfsQglFHH_PXP_J9vdY9mNVzGU2EqF-uPkbNnkPm03Fj9PEGhOcabzkayoy45obiV9kWjyIiRruwMylvl07c3k\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The Filters used to find Malicious Email Files in ANY.RUN\u2019s Public submissions<\/figcaption><\/figure><\/div>\n\n\n<p>The sample can be downloaded with \u201cDownload\u201d, and submitted for analysis in ANY.RUN sandbox using \u201cSubmit to Analyze\u201d button:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/3HS9qBv3gd8afOP48KVx0805tz3VyT-Z0rvwiiPqhw--1oxnkqCcqfIXmofFDcw3wIClveyPcfn166fCVFhuPl5PLjv-CB26KAdTpaPXlroNlbIfOq1x7EJJZ165O1JDwTDYWePT1YK5VnmjSc8Sq98\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The overview of \u201c32b4f238-3516-b261-c3ae-0c570d22ee18.eml\u201d in <em>Static Discovering<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>A new ANY.RUN task was created for this sample with the following setup:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/fAERJ5dYpJpua1HCLZiMKwLrv7ve-ON8IUPdtgWJAeiWLCOHz-5Z4L9ZIs_lLazj1TnjiWfV7oeLV5pnMui7PXbhsFSuFJ0eZe6gDoSHcO0ratwlgXCQeYET1GKWd6dfjNxoA6gKbq9Zmd1eyTrUolo\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Creation of a New Task, and the setup used for the analysis<\/figcaption><\/figure><\/div>\n\n\n<p>The ANY.RUN task for this file can be found <a href=\"https:\/\/app.any.run\/tasks\/4b3a6bbc-e8fa-4ec6-9d35-9f779b715131\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=snakekeylogger&amp;utm_content=task\">here<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing the Email<\/h2>\n\n\n\n<p><strong>Goal of this step: <\/strong>In this section, we&#8217;ll explore the email body, header, and social engineering tactics.<\/p>\n\n\n\n<p>Opening \u201c32b4f238-3516-b261-c3ae-0c570d22ee18.eml\u201d on Windows 11\u2019s Microsoft Outlook showed the email contents:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/LG5fVH9h0I1_zBzg3m3Cv32Mjne_mxd-_AD2g6oqnAIyYQMmMD6-C272_7C51hQQdqGPrZDCKdwUtg6om2kEzFA_rOLVpEnnocH-n1FWxQ2eP8FoDEzcNrC9HPvTbCIiJRKJJI4pUDXN8PpnCehowCU\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Opening the email file on Windows 11\u2019s Microsoft Outlook<\/figcaption><\/figure><\/div>\n\n\n<p>The email body shows the sender attempting to convince the recipient to download and open the email attachment by referencing the \u201cclient\u201d. The email signature makes references to a Customs Clearing Agency in Bolivia and uses the BMW Group\u2019s Logo, suggesting that the sender was attempting to exploit familiarity. Familiarity Exploitation is a social engineering tactic where one pretends to be an entity that is familiar to the target.&nbsp;<\/p>\n\n\n\n<p>The email headers can reveal key information and are useful when analyzing the legitimacy of the email. It is crucial to analyze the SPF and DKIM information when attempting to determine an <a href=\"https:\/\/www.cloudflare.com\/en-gb\/learning\/email-security\/dmarc-dkim-spf\/\">email\u2019s legitimacy<\/a>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SPF (Sender Policy Framework) is a DNS record that is used to verify the legitimacy of email senders. The email recipient&#8217;s server checks the SPF record of the sender&#8217;s domain to verify they are an approved sender.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DKIM (DomainKeys Identified Mail) is an email authentication method used to verify the authenticity and integrity of the email. A digital signature is added to the email\u2019s header, which is generated by the sender\u2019s server with a private key. This is verified by the recipient\u2019s server with a public key published in the sender\u2019s DNS records.<\/li>\n<\/ul>\n\n\n\n<p>The email header reveals that the SPF failed, where the sender IP was IP 45[.]227.X.34. The header mentions \u201c[GREEN].com[.]bo does not designate IP 45[.]227.X.34 as permitted sender\u201d. Also, there was no DKIM and DMARC, and the message was not signed:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/czvJ_0jLUAprSUNl8KstQ5noZG6lP7Q3dRA26TuKbz7pZ74KE_neaNY8BtJK6lbub97ggWCG59iHovohvCTSP5UsFPZNTQ8B2H75HiOVUsHy0NVrAAhCRUWv1VtLEUQfseVzsjiM1zMNJiOmq_4e6LQ\" alt=\"\"\/><figcaption class=\"wp-element-caption\">A section of the sample email\u2019s header shows the SPF, DKIM, and DMARC information<\/figcaption><\/figure><\/div>\n\n\n<p>The IP address 45[.]227.X.34 is associated with these domains (hidden with purple and blue markers for confidentiality reasons). According to <a href=\"https:\/\/www.virustotal.com\/\">VirusTotal<\/a>, it appears to be a security company in Argentina:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/NOSyI_ylG4wbB98EQP4c4mmwx9-vs96F7rs0h5jCG57llBcY1UlicWXEAAv1E4giH10aprqc3ojjaokLRevbdYGYKCnIiaUJV7mlcy0qhX_GUn4YTCzJUDXmWu-VGOpyo81VwsQXVcjrSKKlCrPt5Rc\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Looking up the IP address 45[.]227.X.34 on VirusTotal<\/figcaption><\/figure><\/div>\n\n\n<p>The email header shows the authenticated sender, which was \u201ccobranzas@[PURPLE].com.ar\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/LsVma1NST4Wvkmgh3Nf1J9z-_TsyzjINL3pIjZsZvNTUsdFnF9foejyyr2riSp10qB5ct-JqHFX6aPy-5js0MCzQOTfeHTAQBvSMd7v2wJul3yueEL5SNZaMq6tRHDNDWyVaJWsO4oWEqNHzVkJCGyU\" alt=\"\"\/><figcaption class=\"wp-element-caption\">A section of the sample email\u2019s header shows the authenticated sender<\/figcaption><\/figure><\/div>\n\n\n<p>The email header also revealed the User-Agent, which was \u201cRoundcube Webmail\/1.4.2\u201d. <a href=\"https:\/\/roundcube.net\/\"><em>Roundcube Webmail<\/em><\/a> is a free and open-source webmail software.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/VGjljveM3Ihwc82uuiDgJOsn2gb-9F8Hd4iX-HQ7JQdFnW3WRddCQm5HB-aQpoWWHlxw7A46gCajvYCWFM7YG3P6JS9E5bkhvNAiCHu9JRFMf11CKHDKbh6hMswXmFQhPKImI71ROMkPGaKiYo3E5-E\" alt=\"\"\/><figcaption class=\"wp-element-caption\">A section of the sample email\u2019s header shows Date, Time, From, To, Subject, User-Agent, etc.<\/figcaption><\/figure><\/div>\n\n\n<p><strong>What did we learn from the header?<\/strong><\/p>\n\n\n\n<p>It indicates that this email was most likely not legitimate. The contents of the email and the sender\u2019s email address suggest that it was attempting to impersonate a company in Bolivia that provides brokering and insurance services. Additionally, it utilized social engineering tactics to convince the recipient to download and open the attachment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing the Behaviour of the Attachment&nbsp;<\/h2>\n\n\n\n<p><strong>Goal of this step<\/strong>: In this section, we&#8217;ll explore the behavioral analysis of the email&#8217;s attachment on Windows 11 and examine the involved files.<\/p>\n\n\n\n<p>A file called \u201cpago 4094.r09\u201d is attached to this email, with the following attributes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SHA1 hash of \u201cCF13DF73EFF74B9CEB6D837C1D7CC9D01FE918DB\u201d<\/li>\n\n\n\n<li>MIME type of \u201capplication\/x-rar\u201d<\/li>\n\n\n\n<li>RAR archive data, v5<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/P_hVKCSP7mlquIxsRH-3_rD4POrzmT1fwQ4JuVRWf0xRzrX5XkE-toPuag4RxnVIbz6WgoERD1rnvdUbUaFDxG6f_9m5f1_Gf8ZDsST_oSrVnFTzzgQdB4ZzOY1Rq2BuhF9SF0j0HOXzptdH8vK-hJY\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The information for pago 4094.r09 in <em>Static discovering<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Downloading and opening \u201cpago 4094.r09\u201d in WinRAR shows the existence of an Application called \u201cpago 4094.exe\u201d:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/rCPfY3xROHgtcPP99w05exIo86t5d2i4ANphVb3yaorQSrlGZpRMpkdx45h1fmDR9KTB8Nrh2rtk28as9iyOt8BLz3D-A34nC2x8OQuSP23n7S3bgk6OancZ7Shw4WxRgCy0AAc13KNK9T1BQ36VGvI\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Opening \u201cpago 4094.r09\u201d in WinRAR<\/figcaption><\/figure><\/div>\n\n\n<p>Extracting \u201cpago 4094.exe\u201d onto the Desktop reveals that it uses the <em>Yahoo! Buzz<\/em> Icon. <a href=\"https:\/\/en.wikipedia.org\/wiki\/Yahoo!_Buzz\"><em>Yahoo! Buzz<\/em><\/a> is a community-based news article website.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/g0N6V8Gj0Nj4kDq6aY1JQCwKi2bqHt7NIb-BasXStNgoT9nm1ZER7VONNR8oRm5dOnwX3x9MwHTaY2z5erIYfyZhWgUO-goivfydSkFBi7skA2CXUQ7qgfKX3dB4NDrrNjT7ux329MRwLob6F5CkFeM\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The <em>Yahoo! Buzz<\/em> icon<\/figcaption><\/figure><\/div>\n\n\n<p>The properties tell us that the original filename was \u201cmKkHQ.exe\u201d, and had the copyright \u201cQBuzz 2011\u201d:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/8SD1scHgc_P399KDL27H13IcRDM3AbO_cbbYlkmBU0LFprar_6GEYQK0O_fGHIsYPBSu2gLS1bOtgHPQEeqPXBTyUE1yrT70XI519DeL2HzDdi57AYc3l_fSiGKrtLXywbkVDwfJPSwnzghGPAOVNXI\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The Properties for \u201cpago 4094.exe\u201d<\/figcaption><\/figure><\/div>\n\n\n<p>This executable \u201cpago 4094.exe\u201d has the following attributes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SHA1 hash of \u201cA663C9ECF8F488D6E07B892165AE0A3712B0E91F\u201d<\/li>\n\n\n\n<li>MIME type of \u201capplication\/x-dosexec\u201d<\/li>\n\n\n\n<li>PE32 executable (GUI) Intel 80386 Mono\/.Net assembly, for MS Windows<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/xd_fmVrw5zsPcEyUwWoPSSiwCMIt8JJ9N5NprvkicPvz0rFD2M636vF1yEnbgU3xx_TPBa4skVOExSjTaDZ2BDAW810vovr3mvBay0vjnGG8h0jCP4VRFZSGJ8OeB23HR5gMHMmX18T0L64V6EiJNS0\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>Static Discovering<\/em> shows the details of the executable \u201cpago 4094.exe\u201d.<\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEffortlessly <span class=\"highlight\">analyze malware<\/span> in ANY.RUN sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\" rel=\"noopener\" target=\"_blank\">\nCreate free account\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Saving credentials in browsers<\/h3>\n\n\n\n<p>Before executing \u201cpago 4094.exe\u201d, various fake credentials were purposefully saved onto Browsers like Chrome and Microsoft Edge. This was done to observe the malware\u2019s credential-stealing behavior.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/v3dVwKeNTtu6KrRP3c17dE33nz7YU8hSRu0rJB2mCrd0bwCIcqWu10m0ZZEo7v1o-iwzWO-YSDvzzjzQCLFs6cZqSBy4I6ZpagdcQTDDzBfh8-zCb5rOYK9uwL_mNr-ELJlEfTZzq27x2-_XuUcl7wE\" alt=\"Saving fake credentials on Chrome\"\/><figcaption class=\"wp-element-caption\">Saving fake Facebook credentials on Chrome, under \u201cchrome:\/\/settings\/passwords\u201d<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/ObP8pfdIA_3QXt9yOpNEpyyO5v1_x9ijXFevEtSs5LQNZtqUbyfLDu4A60meH1rD9k5skq_jPJBCfjcNPM0v2Qxq4YS2cYcQZ7axrk8Kj9ujn-FHImFkPwnZExdgW0viGlVhIO8SaICeWJTtGY-SWjg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Saving fake Instagram credentials on Microsoft Edge, under \u201cedge:\/\/settings\/passwords\u201d<\/figcaption><\/figure><\/div>\n\n\n<p>Once the fake credentials were saved onto the Browsers, \u201cpago 4094.exe\u201d was executed by double-clicking \u201cpago 4094.exe\u201d on the Desktop.<\/p>\n\n\n\n<p><strong>Getting into the execution flow<\/strong><\/p>\n\n\n\n<p>Around 30 seconds after executing \u201cpago 4094.exe\u201d, the executable file disappears from the Desktop. A child process \u201cC:\\Users\\admin\\Desktop\\pago 4094.exe\u201d is created, and an executable file \u201cC:\\Users\\admin\\AppData\\Local\\Temp\\tmpG484.tmp\u201d is dropped. The dropping of the .tmp file is done to secure persistence on the victim machine.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/6-hp9nc36yzgBvKL3GYKiYBnr3F3XFKT4o_wwsD6h42q9YHcjKFSWQ09lSwkdHLnOJvVM3KT9qlgp_12WJ9z2KbZl9QNOvfTzKnVb23_gbCivsZCjIW7PflZHBjmq2Dr9NNJX5irJamcY3xpzaxu36I\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The executable disappears from the Desktop, and \u201ctmpG484.tmp\u201d is dropped in \u201cC:\\Users\\admin\\AppData\\Local\\Temp\\\u201d<\/figcaption><\/figure><\/div>\n\n\n<p>Now, the Snake Keylogger is running silently in the background. From the Windows User\u2019s perspective, nothing alarming happens.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing the Processes<\/h2>\n\n\n\n<p><strong>Goal of this section:<\/strong> We&#8217;ll explore the analysis of processes associated with the Snake Keylogger.<\/p>\n\n\n\n<p>Process 1112 and its child process 3868, are key processes involved in the malicious activities:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/fOR1MG0Ud45mTs5CPidWp8LotswRyiwtGUXGLuDpY22oc2xTL0JFRPS3-yw6rh7JE4ixXnwg_8pm7S7sBEpJOyB5L9st-vGfjMag6YHZCNZxtK8mkAbyGNL0ikv8NK-iDfBzzcdhqxIkOHVixdac0WE\" alt=\"\"\/><figcaption class=\"wp-element-caption\">&nbsp;The \u201cpago 4094.exe\u201d processes<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Detailed look at the process 1112<\/strong><\/p>\n\n\n\n<p>Process 1112 was detected as 100\/100 Malicious under the <em>Threat Verdict<\/em>. It can be observed querying registries, performing system information discoveries, checking LSA protection, dropping another application, etc. This process ran for a total of 48.9 seconds.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/6RkqFm4J3XLzuTqmEwRLeL9sI8rYiY5HrLhmrmfEWJG3L8WzvRmpnDwAHattTH3hwyiOM6olrwZA4E4SvVTcVZQFjfZJ_EpI1KAuv6zn1GgoJaSrf-MfDWm8pwmax99Vp7BdA53Yfy8k7Z1qel9fPCY\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Overview of Process 1112, \u201cpago 4094.exe\u201d<\/figcaption><\/figure><\/div>\n\n\n<p>Registry changes were seen for Process 1112, and the following Write Operations were conducted:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/0WqXNC7mJBiueniaBSVRcWlOsKTrWe1uu2veGE5y38WcCLz7CB6IgM3B96GpleRvI1DmXVWRgGBo4hNqrs3Obo3OMZ1y-dUqPyWkA-urb0yvS3CfDis2E21buenfK9B_vgyECYhK8qjS27DRorl8U3g\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The Registry changes for Process 1112<\/figcaption><\/figure><\/div>\n\n\n<p>Process 1112 also created a new file with the MIME type of \u201ctext\/plain\u201d, called \u201cpago 4094.exe.log\u201d under \u201cC:\\Users\\admin\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\\u201d:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/7RDNstM75sbzxn8-QI_obaAPxF0yu5tqarEOT5GrbohGurz_ItwHKZ5i26dJ4p50CjK4eU3nlTL5SEyKb9h1ykTt30Q0erd924caT9LjtpfgZDMqHiGnE-6k4ViZzyItjU4fxe3FgHJy60_q34rcgUk\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The creation of \u201cpago 4094.exe.log\u201d<\/figcaption><\/figure><\/div>\n\n\n<p>The contents of \u201cpago 4094.exe.log\u201d contained references to <em>System.Windows.Forms<\/em>, <em>System.Drawing<\/em>, etc. which are associated with <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/?view=net-7.0\">.NET API<\/a>. It also contained <em>PublicKeyToken<\/em> values:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/IhDw8H6sdyIrqJS-cW8AIjYH6vOkbdcMqtT1yTfm_alJkC4kQYvM-phRaoipRJmMRKrExsU7FWaWz58EtRn9V-SyOBsqYksIdQmnctYZe4HDVasLhxDoD0XQVERwlgRoN-T3jBD4cD8cEGFynQSndfg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The contents of \u201cpago 4094.exe.log\u201d<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Detailed look at the process 3868<\/strong><\/p>\n\n\n\n<p>Process 3868 plays a significant role in this malware. This process started at 287.76 seconds and ran all the way until the end. It steals credentials from browsers and files and sends these stolen credentials over SMTP:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/1vQYGOpzr5Ho5CYYmYTlArqk17DweABrPVX3JNrKK4xPqjyybIQodvHBk8Sibd1p_LrwITmFxiaOP1U173cgOx22D7VRHKPao3qirkdP5R8ZjkY1DeHjiX-ucPz62F8VZ8nHfNkfXKlbNT6VNJyf5v8\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Overview of Process 3868, \u201cpago 4094.exe\u201d<\/figcaption><\/figure><\/div>\n\n\n<p>The indicators for this process included \u201cKnown Threat\u201d, \u201cConnects to the network\u201d, \u201cExecutable file was dropped\u201d, \u201cActions similar to stealing personal data\u201d, \u201cBehavior similar to spam\u201d, \u201cThe process has the malware config\u201d, and \u201cThe module has a process dump.\u201d<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/Q7pCDpzka7FmxZ9V_eGSLWCho08-Cq-7bBOA-rK0ODEW4TnAq0Hy2HUrhiZwi3qx4lt0a73qBaMw7XqFAby92ixm5pBxHuJWfH5DWraPk2p7jHVSPTjrp0ysr-8dDAiPgIDeckOUE36bKQPeNBONlQo\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The indicators in Process 3868<\/figcaption><\/figure><\/div>\n\n\n<p>It was detected as Snake Keylogger, where the destination IP was 158.101.44[.]242, with a destination port of 80. This IP is associated with <em>checkip.dyndns[.]com<\/em>, and we will explore it in detail in the next section,<em> Analyzing the Network Information.<\/em><\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nUnderstand malware behavior <span class=\"highlight\">at a glance<\/span> with ANY.RUN&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\" rel=\"noopener\" target=\"_blank\">\nGet started free\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/unczWFz_lIPx0Bv9cEibtSbL97qyboD3AN2gapJ9Sur_OYJzgAZmA3OKcgr40ISHoEzu9xJPjE5T8bvZzYH4ysLCz3zIOJWZV8NDHjFGppnxPbeYrAeKPTfkd1frQQxFR-4KqNWSnUO6o2IJZ3C8G1I\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The detection of SNAKEKEYLOGGER<\/figcaption><\/figure><\/div>\n\n\n<p>Process 3868 drops \u201cC:\\Users\\admin\\AppData\\Local\\Temp\\tmpG484.tmp\u201d. This has an MD5 hash of 1A0F4CC0513F1B56FEF01C815410C6EA, which is the same as the MD5 hash for the original executable file \u201cpago 4094.exe\u201d. This is done to achieve persistence on the victim machine.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/kSthdfY4pNYq4pitLPutgkhznreSBL-L47P7HF8gHO-rarkl-96rONHeZ8uoluDBkUTAhT_UGcnIHZEn4YIA6RV3Iz5Q1tNwwBPrpO4qYFQh69w4nb5SRBxo_n4NERtr2wJ7PP6_PGBgaoP-y8bBqgw\" alt=\"\"\/><figcaption class=\"wp-element-caption\">A .tmp file is dropped<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/ZiVClN3ALbiPQgy0VZ_DfmLguiLUGdLwwp-OIbfb-StLyUyIvBIUGAZWPdcsmQD-Gkx-AeAn0sE4hBH210ZyFW4vJ2vJaBdiGKltoCB5FizzH34Vq1jyExRTFHcP8fHsHX1MH5ftMcCBFl7l4tSLfA4\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Details of the dropped \u201cC:\\Users\\admin\\AppData\\Local\\Temp\\tmpG484.tmp\u201d&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Analyzing the Network Activities<\/h2>\n\n\n\n<p><strong>Section goal<\/strong>: In this section, we&#8217;ll explore the network activities associated with the Snake Keylogger and examine the packet capture (PCAP) file in detail.<\/p>\n\n\n\n<p>Process 3868, \u201cpago 4094.exe\u201d, attempted to retrieve external IP addresses with <em>checkip.dyndns[.]org<\/em> as shown in the <em>Threats<\/em> Tab:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/nNNC9ivvpPqObWKe4SmbJZWnNgx0-DlOJ1cA6BIdOUpgCwdugJS9ZBuiAhDe_Sb0IiFneXYKhX5-wkzuWuWaEFWdMtwVDmgd36gTeYjnYL3A4WRWsUvC2rZl0heRicvciDlcpv8iokLJXNjHdiCeGTg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The <em>Threats<\/em> Tab shows the retrieval of the external IP address<\/figcaption><\/figure><\/div>\n\n\n<p>It was seen connecting to 158.101.44[.]242 on port 80. This IP was associated with <em>checkip.dyn\u2026<\/em> according to VirusTotal:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/PfGo7tPbSjC5hTHsP56ezIOruCOm5QOBFy8_6fJfuXvqdMaTNlaM6G3Gbde8JSixRYfcTU66f67n9HuVkPEY-CnBi2itDx4oZViggbKQ20SLywBowbILqn2oDQ9JxmIayEHiZO2JYCqFwgIAHLmMFNA\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The Threat details show the source and destination IP and port.<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/W_0MgT9ezAPC32dbAT284xUypiQHeBupOlNznqCDDz6WMCNg-P5LBLViTLXhGhnmmnZuc3bQ8ieeP2x-AyQFALStcoHhGIHbPbnuZSK8W4mqWIk7YX8nOZDhqlg1w9ggWl0I5omUIpWGhtO6-WQ7Adk\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The IP 158.101.44[.]242 was associated with checkip.dyn according to VirusTotal<\/figcaption><\/figure><\/div>\n\n\n<p>The host <em>checkip.dyndns[.]org<\/em> is associated with IP checking. According to Dyn, \u201cCheckIP will return the remote socket\u2019s IP address. If a client sends a Client-IP or a X-Forwarded-For HTTP header, <a href=\"https:\/\/help.dyn.com\/remote-access-api\/checkip-tool\/#:~:text=Dyn%20offers%20a%20free%20web,Hostname%3A%20checkip.dyndns.org\">CheckIP<\/a> will return that value instead.\u201d<\/p>\n\n\n\n<p>The packet capture (PCAP) file was downloaded for further analysis. The following filter was applied on the PCAP in Wireshark.&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>ip.dst == 158.101.44.242 || ip.src == 158.101.44.242<\/em><\/p>\n\n\n\n<p>This is done to check for packets where the destination or source IP was 158.101.44[.]242.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/dgAcibXYmEDWDQrwlCqnoiRzNNzj_oG6FzKYmaQISKec6ii4MqEA4LXNU2B8enkSuvbewj2w0_7n-xr54q6Vn__zJSQjkB6WpDkJEf58XYkGpdynbz3hWZ5v66XnAZhaNzOQxSCAY_ekH8SYfAcBsSU\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Packets where the Destination or Source IP is 158.101.44[.]242<\/figcaption><\/figure><\/div>\n\n\n<p>Following the TCP stream revealed that it checked the current IP with <em>checkip[.]dyndns.org<\/em>, which was 45.130.136[.]51:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/FJHCOGZbjcLRfQpDGOOi5lXanXrFT2IyTxKUfas36TOBbtovF6zUNTxFazvc4gvX5EvZ5w8gBTxLtnRMZt5xcg_buyW8GNy0zoHyuG8R9lQk8SGw4FaJiUgTWX-Os6jxcTnuRVzZUJAtUrJ1G_gZzac\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Following the TCP steam shows the current IP address<\/figcaption><\/figure><\/div>\n\n\n<p>A Network trojan was detected for process 3868, \u201cpago 4094.exe\u201d under the <em>Threats<\/em> tab:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/eTGyOGpn0_7-1QFkd49-xDJmGcBKK0nPrQAl64XnNkTQCr_Vkc_HQd9ylkBDbFotu8fY88bJTsZnc9NsL8WZGscLKZvDL-R0oT5NpaL3sgyNFeP9Begzp_GhfPy6DfmN6INIxskfX17dZnFlkWzy7SQ\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The Detected Network Trojan<\/figcaption><\/figure><\/div>\n\n\n<p>A <em>Snake Keylogger Exil via SMTP<\/em> was observed, where the destination IP was 208.91.199[.]255 and the destination port was 587. SMTP on <a href=\"https:\/\/www.cloudflare.com\/en-gb\/learning\/email-security\/smtp-port-25-587\/\">port 587 is a secure and authenticated method<\/a> for sending emails from email clients to email servers. It typically uses STARTTLS or TLS\/SSL for encryption.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/PTLSNXJ9VAvEPfwMjBGUtaLaidBmDA3TGSWJnX7ScTWbTyZnYuZggmN0Cmac8nM7ccPJnmGvrfal5bNYYlJPG_EX24cPoW-0BZy8GSCjeasQsvdimStsJ_19m1OeNjfV2YJVcLrX_sCqE1PCbyYCMl8\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The <em>Threat Details<\/em> of the Network Trojan<\/figcaption><\/figure><\/div>\n\n\n<p>Applying the <em>smtp<\/em> filter on the PCAP in Wireshark showed the data exfiltration taking place over SMTP:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/HJIeLVNAAFQMVpUmNRlsWp7kvlMuaEbbcSmfwNYfRUyUIDyHq4ldPMD0_WivPrhmYiheSuzHIbcr4zyhlItU9SdiCDyNWLK_DU6ZZCkmZbh2FmPGjMGy5i6mBnQ9XhTuo_blaNjy6LMuJRw0_iX65nU\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Data exfiltration over SMTP&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Following the TCP stream revealed the SMTP Authentication taking place. The email address used to send the stolen information was likely hacked by malicious actors. According to OSINT, the hacked email address belonged to a physical security company in South America.<\/p>\n\n\n\n<p>The same is confirmed in the PCAP:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/YI9-cCQ8yCAnBTaPGgGJJ83jIIiDkzE-aAEgAvc2ifyteHTH1w6a9-YzDDPAPfgs_cReemW6hC7qygbE5ucVmu70H_xgRzeXBf9RfyCo_SWR83zkiDBzMBSyORm5QhUfKMB21to8UwrcJeYX-6c_jtE\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Following the TCP stream shows the authentication taking place<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/iZ52ohMbIMDtHcw8SULaVMn5ACTv7WOo70WoZvhcsV0AbBFZiY-APiHda06WqJfQn5e13dQLHqapmIuZH6ojpYL2vYDGdeXt-VP-nSAKZrkBkUPviLxi7tfm5J1u-5TAtOW8xpJ-7Fd3uc3W5271MRE\" alt=\"\"\/><figcaption class=\"wp-element-caption\">A section of the email header<\/figcaption><\/figure><\/div>\n\n\n<p>The email has an attachment called \u201cPasswords.txt\u201d, which contains the stolen information. The contents of \u201cPasswords.txt\u201d are in Base64 inside the PCAP as shown:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/C8xDxtTuHldmKD3ryPTu-uFINcdYdw06joDrq9vmIqRAH_HN5KvxVCaMv2gDJW5zMG6MrGNJ8n9ty_xSA6yHQAxhR_hYUzHk2xYQH4k3Ml6ey7Q_ncFkoHwaOIAyjyYSOWiarzwVyc2NZn3eVu3M4qo\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The contents of \u201cPasswords.txt\u201d in Base64<\/figcaption><\/figure><\/div>\n\n\n<p>The email has another attachment called \u201cUser.txt\u201d, which also contains the stolen information. The contents of \u201cUser.txt\u201d are also in Base64 inside the PCAP:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/U2kBlz39aOB7SUUOJf4JsDW7OXa0oV3fMP1MrTCI3dqc_6WcEPwB2RRI11QzKplSRpmnPLqJA37SVWPGnzUqh2vnZl-8loWCKJq1QX11dUNABloaVcbEFCAMeEax5NkDVC6z7xlIV7Ykm0zBAE0qcog\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The contents of \u201cUser.txt\u201d in Base64<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Decoding the contents of \u201cPasswords.txt<\/h3>\n\n\n\n<p>Decoding the contents of \u201cPasswords.txt\u201d from Base64 on <a href=\"https:\/\/gchq.github.io\/CyberChef\/\">CyberChef<\/a> reveals that it contained the computer name (\u201cDESKTOP-BFTPUHP\u201d), the date and time (8\/4\/2023 4:43:13 PM), IP address (45.130.136[.]51). It also contained the fake credentials that were saved onto Google Chrome and Microsoft Edge:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/DRbbuPJhU9S4Q1o67IU9CZ2TC8wji5mODwzxxJF43hByzENH24c9rEPqlqDCWj7b7eT8aVnF6_rvqzAdJ4-JSIf-IaVfFy0pHTz5QgiJ0vBSMl63w9Os-jF5Q3cIRBp3jKk9mIKabpsw3XrbZz3sE6E\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Decoding \u201cPasswords.txt\u201d from Base64 on CyberChef<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/VsC9Q_r1tsOzL8NWjAc2DPhC7B1xdSilRHjiFSWf9ty5JovMp-K92xBgXY1kHRz6ygXzqtxLqPvObhnIPT0EsM5KgnUxAaQC-Td7fn7cN9ryAIiDrw3s6fKLldTNt9qHee0mFUMHVtjxqyw0yp8Of9o\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Removing the null bytes for improved readability<\/figcaption><\/figure><\/div>\n\n\n<p>Decoding the contents of \u201cUser.txt\u201d from Base64 on CyberChef resulted in something similar to \u201cPasswords.txt\u201d, though it did not contain null bytes, and was in a more human-readable format:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/Z2Gfzzty1NY-ETqnjnt2M64uxImbrPn82u8qURJ93cgny7EY0cK5n4lyavAeyIrYalkc_tiWRWsi1KBMB5Bxai9XdR32ABlWzVLw2731UJsYgBPTta0QuxWy71S10YkeVHAQ5N2H4GooUv6_3drJAjo\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Decoding \u201cUser.txt\u201d from Base64 on CyberChef<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK<\/h2>\n\n\n\n<p><strong>Section goal<\/strong>: In this section, we&#8217;ll explore the MITRE ATT&amp;CK for the Snake Keylogger and examine the involved Tactics and Techniques.<\/p>\n\n\n\n<p>The MITRE ATT&amp;CK Matrix for this Snake Keylogger includes five Tactics, namely <em>Initial Access<\/em>, <em>Execution<\/em>, <em>Credential Access<\/em>, <em>Discovery<\/em>, and <em>Command and Control (C &amp; C)<\/em>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/QcGBPTSYYDtO3kQZ63YwSNlYyg0HEV6Q1tQSADMpw0HGfSMVaHZtTyGIqeTB-58YzZV9InzEURZ4RZ2PraP__bbG-_kpqUkaF1gAc6ISk-mbMkzj5Ocd57R-dNFt5G3fYvGl27eCekpBMFSc74d4TP4\" alt=\"\"\/><figcaption class=\"wp-element-caption\">MITRE ATT&amp;CK Matrix<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">MITRE ATT&amp;CK: Initial Access&nbsp;<\/h3>\n\n\n\n<p>Firstly, the phishing email \u201c32b4f238-3516-b261-c3ae-0c570d22ee18.eml\u201d entices the recipient to download and open the attachment via social engineering (as seen in <em>Analyzing the Email). <\/em>The email has a RAR archive attachment \u201cpago 4094.r09\u201d, which contains an executable file \u201cpago 4094.exe\u201d.<\/p>\n\n\n\n<p>The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/\">T1566<\/a> (Phishing), and the subtechnique is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/001\/\">T1566.001<\/a> (Phishing: Spearphishing Attachment).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">MITRE ATT&amp;CK: Execution&nbsp;<\/h3>\n\n\n\n<p>The \u201cpago 4094.exe\u201d, namely process 1112, is manually executed by the user. In this case, \u201cpago 4094.exe\u201d was executed by double-clicking the Desktop icon.<\/p>\n\n\n\n<p>The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/\">T1204<\/a> (User Execution), and the subtechnique is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/002\/\">T1204.002<\/a> (User Execution: Malicious File).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/O8n58W08bNNDa4swicKi-FVgk3FcMkunIau0YOILfg_RO_jGAUo6yNDe3Mg2W4F-uoPvd5gNv1gcbA6YqfQvf0THe4pjQILZj3MZ0C_OI7GAILaAHFqIPe1xMzDk0hfS7opk1ifJJ-Taq1Pe9MWPePE\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of <em>User Execution<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">MITRE ATT&amp;CK: Credential Access&nbsp;<\/h3>\n\n\n\n<p>Process 3868 attempted to steal credentials from web browsers and files. The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1555\/\">T1555<\/a> (Credentials from Password stores), and the subtechnique is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1555\/003\/\">T1555.003<\/a> (Credentials from Password Stores: Credentials from Web Browsers).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/GObfvVLwd7Uq9owfeD4q-2RHEplS6QtAOgkWIAdac9dOTvn4levodwX7PRd2ouaNo9xkh2JJUeKnyk9hCH7lGGIK2cZADLoAbwmvLshpL51-0KSqOPDEANJhkaBXuyQQYb2EGxMO0cpXsy05QJhqZ9E\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of <em>Credentials from Password Stores<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It is also technique <a href=\"https:\/\/attack.mitre.org\/techniques\/T1552\/\">T1552<\/a> (Unsecured Credentials), and the subtechnique is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1552\/001\/\">T1552.001<\/a> (Unsecured Credentials: Credentials In Files).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/VX3CGC0PWj2DLRj5s0YpqVwvf-ygVuTE5ilbfqaZ-ayUhTmpFeagEKO4BpVrcV0Vq8rJgRNh6X6F3FT2JsU55zREkLeilRG2hDYPfpg1lUz16iI41KONcBfKvPxLy4ykahXFP7O8iIwpTJg6kV_2Vdg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of <em>Unsecured Credentials<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Process 3868 attempted \u201cFILE_READ_ATTRIBUTES\u201d access on files associated with browsers under the \u201cC:\\Users\\admin\\AppData\\Local\\&#8230;\u201d and&nbsp; \u201cC:\\Users\\admin\\AppData\\Roaming\\&#8230;\u201d directory.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/FrhT6jBlGGvHDVP4Nc2fUJeELj6tg5ANJQax62jQVcH78mFscyen-2VpholXGSPTdBsC3EAIZVh6hapiThlzoGngYIix0nA_q1kd1cRQXW6Bibf8G1hAsBUZ4KjABjfxUefo_Tnl2Uw2aAEQ8QdJyjo\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Process 3868 attempted to steal credentials from Chromium, Opera, Epic Privacy Browser, QQ Browser, etc.<\/figcaption><\/figure><\/div>\n\n\n<p>Before executing \u201cpago 4094.exe\u201d, fake credentials were saved in Google Chrome and Microsoft Edge.<\/p>\n\n\n\n<p>Thus, process 3868 attempted the following accesses on files related to Google Chrome, which were in \u201cC:\\USERS\\ADMIN\\APPDATA\\LOCAL\\GOOGLE\\CHROME\\USER DATA\\DEFAULT\\LOGIN DATA\u201d and \u201cC:\\Users\\admin\\AppData\\Local\\Google\\Chrome\\User Data\\Local State\u201d:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>FILE_READ_ATTRIBUTES<\/li>\n\n\n\n<li>READ_CONTROL<\/li>\n\n\n\n<li>SYNCHRONIZE<\/li>\n\n\n\n<li>FILE_READ_DATA<\/li>\n\n\n\n<li>FILE_READ_EA<\/li>\n\n\n\n<li>FILE_READ_ATTRIBUTES<\/li>\n<\/ul>\n\n\n\n<p>This process also attempted these accesses on files related to Microsoft Edge, which were in \u201cC:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data\u201d and \u201cC:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Local State\u201d:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/953lLJcDHjv4AWiEMOdLBEjKQURjA7zGZRAfGuN-LWrSqo80R8czf6JVYyrWTCJI-L9EA0Q2YKQ5wALtiO-AENmzpeKt1z-m86ABu71bD9SkkQxCYL5IcYRdz2QTFVJxm6XqeW2W2U_V2Y6tEhzScZI\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Data being stolen from Google Chrome<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/lteJqFxHz3Qmtx0xKvwHcTJoDcnewWPe8l1hrEs74yWWeVZuF1C3gyW2AuIJUeQGnSeayS95DAz7TEKw-uSHEc0F_wqJohfR3J4n8h0vrtCNT2uspcLAgp1W_t305YENuiBrDNLL6G7cInugivElxwo\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Data being stolen from Microsoft Edge<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">MITRE ATT&amp;CK: Discovery<\/h3>\n\n\n\n<p>Processes 1112 and 3868 attempts to query the registry. The registry contains a lot of crucial system information, such as OS, configuration, software, and security. The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1012\/\">T1012<\/a> (Query Registry).<\/p>\n\n\n\n<p>The processes attempted the following:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/O3maBIoNhMVh2pb5pmy4AADnKSNFmJcmFkpg-dvWHwoboI7pAOS23TM7F_Rantmw53I6Ol6pmTNLN1zwjtdjeYV5T7rwTycYhUTaiCGxSLwBroaLi5h56yC_4WCYjGCL_gnqLQr-Z2_HLlyqy7utwcs\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of<em> Query Registry<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/cIlkaYBzdzOXh02qAJAsBa3QENqDfLwwpJEWS1lpdrccg5NiT0Iv-mOv7BnOANgHr_Fshr74puTleOCW6frZsEm2MOu-n-R48iyYc_Dj76EdbKJKJMB5b5U5gLzbjRADUcgXdRzGy2AnPmFDweerj3s\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of<em> Query Registry<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Process 1112 and 3868 attempts to discover system information, and tries to gather crucial system information. The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1082\/\">T1082<\/a> (System Information Discovery).<\/p>\n\n\n\n<p>There are overlaps between this and the previous subtechnique <a href=\"https:\/\/attack.mitre.org\/techniques\/T1012\/\">T1012<\/a>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/0bveXXkt-fQCgPtEkT51TO_BwYy9MFEmuZ0SCAcrjm6KWPYJDFqJMb5sk2mT_P55b9REJUsupDmlO43_8ibv9vlFhxqtt01A-k2RRqDUdH-lOnCgjIqABEec_gV7JfQFq6yOJ741fmhl3vINU4cdz0M\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of <em>System Information Discovery<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Process 3868 attempts to discover installed software, and it attempted to access various locations associated with Browsers. The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1518\/\">T1518<\/a> (Software Discovery).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/PnUsxiyR7OZJBgdyrB1z4uv5kkMVYqr2pLFtdm-2wa1qJNCzpwFasgqoFYczJQdkb8JANRHgdaoey4iklvieSZ5og3IMFqh9k4ux6-mOsE1AJ9ywfAV3fUhloT2S5cgPFgc87yGgDK8GkKvpwZXhcfs\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of <em>Software Discovery<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Process 3868 attempts to discover the system network configuration. It checked for external IP, where the destination IP was 158.101.44[.]242 and the destination port was 80. The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1016\/\">T1016<\/a> (System Network Configuration Discovery).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/BQTY_b-tAJRhl7V2eEYzvhDpsfv3vuKCynQ496val51VIGyF47EGTFTGiQmaAzFsm6lCj2Ho0kBL6mSK1CK0TqCgWbJkc1mYO-ng9VlKEcE2yzz3YmWU2MJkC9v0_-FmZBxjGjqCpQzb_XKQ6u91rrE\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of <em>System Network Configuration Discovery<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">MITRE ATT&amp;CK: C&amp;C<\/h3>\n\n\n\n<p>Process 3868 then communicates with the application layer protocol. Due to the existing background traffic, communication using the application layer protocols may fly under the radar. It was seen connecting to the SMTP port 587, where the destination IP was 208.91.199[.]225.<\/p>\n\n\n\n<p>The technique here is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1071\/\">T1071<\/a> (Application Layer Protocol), and the subtechnique is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1071\/003\/\">T1071.003<\/a> (Application Layer Protocol: Mail Protocols).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/CQMbT0mf5Z9nZEATTFRSi0nGGwdfVbRM7YPDNd1NyvOuTp4yNVQLEzZhMZISoLgoQfMIPA2tBpoktyUosMEBbjiqh7FSXiuytfoyl_J_jEwVDm5Nf4H1u3EIdZcN9ONg2fE6NSiucQitT1Q-pirym9E\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Techniques details of <em>Application Layer Protocol<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Finally, the malware configuration for the Snake Keylogger can be seen in ANY.RUN\u2019s <em>Malware Configuration:<\/em><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/yn6w3XIvNx_TzxONHUcXhBg4bqvyJCQoANICaa2vYK-igJjcp6ZG9pQA1rZPoIdO3EQGl5lYXQS2lATakCEoyaHGYrJtV49sRVNSJaHmSFWx-2XYl0AmWA9byGIo3psWoq_WtUw6JKXa9_fLqxuvTfo\" alt=\"\"\/><figcaption class=\"wp-element-caption\">The <em>Malware Configuration <\/em>for the Snake Keylogger<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>This analysis showed how a single malicious email can lead to multiple security risks, including financial and reputational damage. We used various techniques like email and attachment analysis, process and network analysis, and applied the MITRE ATT&amp;CK.<\/p>\n\n\n\n<p>The focus was on an email with a Snake Keylogger attachment. It collects system info, establishes persistence, steals credentials, and exfiltrates data.<\/p>\n\n\n\n<p>Given that emails remain a top threat vector often exploiting human error, staying vigilant against email threats is crucial.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">About ANY.RUN<\/h3>\n\n\n\n<p>ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Request a demo today and enjoy 14 days of free access to our Enterprise plan.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=snakekeylogger&amp;utm_content=trial\">Request demo \u2192 <\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 1: IOCs<\/h2>\n\n\n\n<p>Analyzed files:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-28\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"28\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Name                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        32b4f238-3516-b261-c3ae-0c570d22ee18.eml                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        60D00C17D3EA15910893EEF868DE7A65                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1D17DD1688A903CBE423D8DE58F8A7AB7ECE1EA5                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        D13A7EAAF07C924159EA7BB8F297DAB1D8DA0F9AF46E82E24052D6A9BF5E4087                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SSDEEP                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        12288:vZ1Tzm0D2acQLqgVIjejueFyhaCV2JKKS7hoxSSqkljhEi9lV7j:z7K8FuuzCV2JKkxPOQ3                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-28'>\ntable#wpdtSimpleTable-28{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-28 td, table.wpdtSimpleTable28 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-29\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"29\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Name                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        pago 4094.exe                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1A0F4CC0513F1B56FEF01C815410C6EA                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A663C9ECF8F488D6E07B892165AE0A3712B0E91F                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        D483D48C15F797C92C89D2EAFCC9FC7CBE0C02CABE1D9130BB9069E8C897C94C                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SSDEEP                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        12288:PXPZDbCo\/k+n70P4uR87fD0iBTJj1ijFDTwA:hOz+IPz6\/PF1ihDTwA                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-29'>\ntable#wpdtSimpleTable-29{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-29 td, table.wpdtSimpleTable29 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Connections:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>158.101.44[.]242\u30fb <em>checkip.dyndns[.]org<\/em><\/li>\n\n\n\n<li>208.91.199[.]255\u30fb<em>us2.smtp.mailhostbox[.]com<\/em><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 2: MITRE MATRIX<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-30\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"10\"\n           data-wpID=\"30\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Tactics                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Techniques                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Description                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0001: Initial Access                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1566: Phishing                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Send phishing messages to gain access to victim systems.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0002: Execution                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1204: User Execution                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Rely upon specific actions by a user in order to gain execution.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0006: Credential Access                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1555: Credentials from Password Stores                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Search for common password storage locations to obtain user credentials.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1552: Unsecured Credentials                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Search compromised systems to find and obtain insecurely stored credentials.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"4\"                     data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0007: Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1012: Query Registry                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Interact with the Windows Registry to gather information.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082: System Information Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Get detailed information about the operating system and hardware.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1518: Software Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Get a listing of software and software versions that are installed.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1016: System Network Configuration Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Look for details about the network configuration and settings.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0011: Command and Control                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071: Application Layer Protocol                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Communicate using OSI application layer protocols to avoid detection.                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-30'>\ntable#wpdtSimpleTable-30{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-30 td, table.wpdtSimpleTable30 th { white-space: normal !important; }\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>Emails are a common communication method but also a major vector for cyber threats. They can deliver everything from scams and data theft to malware. Unfortunately, one bad email can lead to financial loss, reputational damage, and even escalate into broader system compromise. To bolster email security, it&#8217;s essential to understand the types of attacks [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":5932,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,34,40],"class_list":["post-5924","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Read a comprehensive analysis of Snake Keylogger, an infostealer malware written in the .NET programming language that steals credentials.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lena aka LambdaMamba\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"23 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\"},\"author\":{\"name\":\"Lena aka LambdaMamba\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough\",\"datePublished\":\"2023-10-05T06:21:02+00:00\",\"dateModified\":\"2023-10-05T09:14:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\"},\"wordCount\":2941,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\",\"name\":\"Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-10-05T06:21:02+00:00\",\"dateModified\":\"2023-10-05T09:14:08+00:00\",\"description\":\"Read a comprehensive analysis of Snake Keylogger, an infostealer malware written in the .NET programming language that steals credentials.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Lena aka LambdaMamba\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png\",\"caption\":\"Lena aka LambdaMamba\"},\"description\":\"I am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by snakes, which includes the Snake Malware! Check out: \u2022 My website \u2022 My LinkedIn profile\",\"sameAs\":[\"https:\/\/lambdamamba.com\/\"],\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough - ANY.RUN&#039;s Cybersecurity Blog","description":"Read a comprehensive analysis of Snake Keylogger, an infostealer malware written in the .NET programming language that steals credentials.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/","twitter_misc":{"Written by":"Lena aka LambdaMamba","Est. reading time":"23 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/"},"author":{"name":"Lena aka LambdaMamba","@id":"https:\/\/any.run\/"},"headline":"Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough","datePublished":"2023-10-05T06:21:02+00:00","dateModified":"2023-10-05T09:14:08+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/"},"wordCount":2941,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/","url":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/","name":"Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-10-05T06:21:02+00:00","dateModified":"2023-10-05T09:14:08+00:00","description":"Read a comprehensive analysis of Snake Keylogger, an infostealer malware written in the .NET programming language that steals credentials.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Lena aka LambdaMamba","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png","caption":"Lena aka LambdaMamba"},"description":"I am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by snakes, which includes the Snake Malware! Check out: \u2022 My website \u2022 My LinkedIn profile","sameAs":["https:\/\/lambdamamba.com\/"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5924"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=5924"}],"version-history":[{"count":7,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5924\/revisions"}],"predecessor-version":[{"id":5937,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5924\/revisions\/5937"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/5932"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=5924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=5924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=5924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}