{"id":7372,"date":"2024-03-25T09:38:46","date_gmt":"2024-03-25T09:38:46","guid":{"rendered":"\/cybersecurity-blog\/?p=7372"},"modified":"2024-03-25T09:45:52","modified_gmt":"2024-03-25T09:45:52","slug":"reverse-engineering-snake-keylogger","status":"publish","type":"post","link":"\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/","title":{"rendered":"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>In order to understand malware comprehensively, it is essential to employ various analysis techniques and examine it from multiple perspectives. These techniques include behavioral, network, and process analysis during sandbox analysis, as well as static and dynamic analysis during reverse engineering.<\/p>\n\n\n\n<p>I (Lena aka LambdaMamba), prefer to begin with sandbox analysis to understand the malware\u2019s behavior. The insights from sandbox analysis provide a foundational understanding of what to anticipate and what specific aspects to investigate during the reverse engineering process. Recognizing what to look for is crucial in reverse engineering because malware authors often employ a myriad of tricks to mislead analysts, as will be demonstrated in this reverse engineering walkthrough. We will also be taking a look into how malware can be modded to make analysis easier.<\/p>\n\n\n\n<p>Let\u2019s dive right into it!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Preparation for Reverse Engineering<\/h2>\n\n\n\n<p>This sample has 4 stages, dynamic code execution, code reassembly, obfuscation, steganography, junk code, and various other anti-analysis techniques. We\u2019ll eventually get into fun things like modding the malware, so stay with me here!<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"575\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-1024x575.png\" alt=\"\" class=\"wp-image-7373\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-1024x575.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-300x168.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-768x431.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-1536x863.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-370x208.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-270x152.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6-740x416.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-6.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The modded Snake Keylogger<br><\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox analysis of this Snake Keylogger was covered in my previous article <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\" target=\"_blank\" rel=\"noreferrer noopener\">Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough<\/a>. From the sandbox analysis, I have a general understanding of what to look for during reverse engineering. These are some things I would look out for the Snake Keylogger during reverse engineering:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malware config: SMTP credentials used for data exfiltration<\/li>\n\n\n\n<li>Infostealing functionalities: Steals credentials from Browsers and Apps<\/li>\n\n\n\n<li>Defense evasion techniques: Move to Temp after execution, Checks and kills certain processes<\/li>\n\n\n\n<li>Anti-analysis techniques: Execution stops if not connected to internet, Self-Deletion after execution<\/li>\n<\/ul>\n\n\n\n<p>For this Reverse Engineering walkthrough, I will be conducting static and dynamic analysis with the use of a decompiler and debugger. Thus, it is important to prepare an isolated environment that is specifically prepared for malware analysis.<\/p>\n\n\n\n<p>Malware Analysis Environment used in this Reverse Engineering Walkthrough:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.virtualbox.org\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">VirtualBox<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/software-download\/windows11\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Windows 11<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/mandiant\/flare-vm\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Flare-VM<\/a>\n<ul class=\"wp-block-list\">\n<li>dnSpy 32-bit<\/li>\n\n\n\n<li>Detect It Easy (DIE)&nbsp;<\/li>\n\n\n\n<li>.NET Reactor Slayer<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Recommended setups for safety:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable Network Adapters to prevent accidental connection to the network<\/li>\n\n\n\n<li>Minimize resource sharing between guest and host, disable shared clipboard, drag and drop, etc.\u00a0<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStreamline Snake Keylogger analysis <br>with <span class=\"highlight\">the ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Stage 1: pago 4094.exe<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Determining the File Attributes<\/strong><\/h3>\n\n\n\n<p>The executable \u201cpago 4094.exe\u201d is identical to the one covered in my <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\" target=\"_blank\" rel=\"noreferrer noopener\">Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough<\/a>, and has the following attributes:\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SHA1 hash of \u201cA663C9ECF8F488D6E07B892165AE0A3712B0E91F\u201d&nbsp;<\/li>\n\n\n\n<li>MIME type of \u201capplication\/x-dosexec\u201d&nbsp;<\/li>\n\n\n\n<li>PE32 executable (GUI) Intel 80386 Mono\/.Net assembly, for MS Windows<\/li>\n<\/ul>\n\n\n\n<p>Putting \u201cpago 4094.exe\u201d through DIE (Detect it Easy) showed that the Library is \u201c.NET(v4.0.30319)[-]\u201d and the Linker is the \u201cMicrosoft Linker(48.0)[GUI32]\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"719\" height=\"529\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-6.png\" alt=\"\" class=\"wp-image-7374\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-6.png 719w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-6-300x221.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-6-370x272.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-6-270x199.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-6-80x60.png 80w\" sizes=\"(max-width: 719px) 100vw, 719px\" \/><figcaption class=\"wp-element-caption\">\u201cpago 4094.exe\u201d on DIE shows the Library and Linker<\/figcaption><\/figure><\/div>\n\n\n<p>Since \u201cpago 4094.exe\u201d is a 32-bit .NET malware, 32-bit dnSpy will be used for Reverse Engineering. This executable was opened as \u201cmKkHQ (1.0.0.0)\u201d in dnSpy.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"464\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4-1024x464.png\" alt=\"\" class=\"wp-image-7375\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4-1024x464.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4-300x136.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4-768x348.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4-370x168.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4-270x122.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4-740x335.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-4.png 1514w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The executable is opened as\u201cmKkHQ (1.0.0.0)\u201d on dnSpy<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Static Analysis with the Decompiler<\/strong><\/h3>\n\n\n\n<p>The entry point in a .NET executable is the method where execution starts upon launch, so I will start the analysis from the entry point. We can go to the Entry Point by right clicking \u201cmKkHQ\u201d in the Assembly Explorer, and selecting \u201cGo to Entry Point\u201d in the dropdown menu. The entry point is under \u201cProgram\u201d, and <em>Main()<\/em> could be observed in the decompiled code.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"303\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-1024x303.png\" alt=\"\" class=\"wp-image-7376\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-1024x303.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-300x89.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-768x228.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-1536x455.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-370x110.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-270x80.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4-740x219.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-4.png 1917w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The entry point that contains the Main function<\/figcaption><\/figure><\/div>\n\n\n<p>This application was filled with code for a \u201cAirplane Travelling Simulation\u201d application. However, I know from the <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\" target=\"_blank\" rel=\"noreferrer noopener\">Snake Keylogger Sandbox Analysis<\/a> that functionalities related to Airplane Travelling simulations were never observed.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-1024x569.png\" alt=\"\" class=\"wp-image-7377\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-1024x569.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-300x167.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-768x427.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-1536x854.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-370x206.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-270x150.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4-740x411.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-4.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A bunch of irrelevant code related to an \u201cAirplane Travelling\u201d application<\/figcaption><\/figure><\/div>\n\n\n<p>This means that the payload for the Snake Keylogger is loaded somewhere before the Airplane Travelling simulation application starts. A suspicious block of code was observed, lines 91~96 and 100~104 in <em>Form1, <\/em>\u00a0<em>InitializeComponent()<\/em>. It uses <em>GetObject()<\/em> to get the data from a resource named \u201cGrab\u201d, and will be decrypted using the key <em>ps<\/em> in the For loop.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"343\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-1024x343.png\" alt=\"\" class=\"wp-image-7378\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-1024x343.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-300x100.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-768x257.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-1536x514.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-370x124.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-270x90.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4-740x248.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-4.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A suspicious block of code before the \u201cAirplane Travelling\u201d application starts<\/figcaption><\/figure><\/div>\n\n\n<p>\u201cGrab\u201d is under the Resources of \u201cmKkHQ\u201d, and the contents were a bunch of gibberish when viewed in the memory.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-1024x246.png\" alt=\"\" class=\"wp-image-7379\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-1024x246.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-300x72.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-768x184.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-1536x369.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-370x89.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-270x65.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2-740x178.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-2.png 1792w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of \u201cGrab\u201d in the memory<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Determining the Junk Code&nbsp;<\/strong><\/h3>\n\n\n\n<p>I commented out the suspicious block of code, re-compiled, and saved as \u201cpago 4094_mod.exe\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"412\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-1024x412.png\" alt=\"\" class=\"wp-image-7380\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-1024x412.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-300x121.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-768x309.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-1536x618.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-370x149.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-270x109.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1-740x298.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Commenting out the suspicious block of code<\/figcaption><\/figure><\/div>\n\n\n<p>\u201cpago 4094_mod.exe\u201d was executed in an ANY.RUN sandbox, which can be found <a href=\"https:\/\/app.any.run\/tasks\/3ebc5d04-0db2-4428-a5e3-27b10d2776e1\">here<\/a>. It opens an application that asks for input text files, and will start an airplane simulation application complete with a GUI.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"287\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-1024x287.png\" alt=\"\" class=\"wp-image-7381\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-1024x287.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-300x84.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-768x215.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-1536x431.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-370x104.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-270x76.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1-740x207.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The \u201cAirplane Travelling\u201d application on the ANY.RUN Sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>This means that the suspicious block of code (lines 91~96 and 100~104) are responsible for the malicious activities.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Dynamic Analysis with the Debugger&nbsp;<\/strong><\/h3>\n\n\n\n<p>I set the breakpoints, and started the debugger. (IMPORTANT: Before starting the debugger, please make sure your malware analysis environment is isolated, and does not contain any important data as we will be executing malicious code.)<\/p>\n\n\n\n<p>The byte array <em>data2<\/em> contains the contents of \u201cGrab\u201d from the <em>GetObject(\u201cGrab\u201d) <\/em>\u00a0as expected when the program is run until Line 93.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-1024x587.png\" alt=\"\" class=\"wp-image-7382\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-1024x587.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-300x172.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-768x440.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-1536x880.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-370x212.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-270x155.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2-740x424.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-2.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>data2 <\/em>when run until Line 93<\/figcaption><\/figure><\/div>\n\n\n<p>The contents of <em>data2<\/em> can be observed in the memory, which is identical to what we previously saw in \u201cGrab\u201d under Resources.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"369\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2-1024x369.png\" alt=\"\" class=\"wp-image-7383\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2-1024x369.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2-300x108.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2-768x277.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2-370x133.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2-270x97.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2-740x266.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-2.png 1411w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>data2 <\/em>in memory when run until Line 93<\/figcaption><\/figure><\/div>\n\n\n<p>After the For loop responsible for decrypting the code, I could see that <em>data2[0]<\/em> contained 0x4D (\u201cM\u201d in ASCII) and <em>data2[1]<\/em> contained 0x5A (\u201cZ\u201d in ASCII). This indicates that it\u2019s the start of the DOS header (\u201cMZ..\u201d).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"605\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-1024x605.png\" alt=\"\" class=\"wp-image-7384\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-1024x605.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-300x177.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-768x454.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-1536x908.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-370x219.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-270x160.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1-740x437.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>data2 <\/em>after decryption, which shows the start of the DOS header<\/figcaption><\/figure><\/div>\n\n\n<p>Viewing <em>data2 <\/em>in memory showed the DOS header (indicated by \u201cMZ\u201d), DOS Stub (indicated by \u201cThis program cannot be run in DOS mode\u201d), and the PE header (indicated by \u201cPE\u201d).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"365\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-1024x365.png\" alt=\"\" class=\"wp-image-7385\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-1024x365.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-300x107.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-768x273.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-1536x547.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-370x132.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-270x96.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1-740x263.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>data2 <\/em>in memory after decryption<\/figcaption><\/figure><\/div>\n\n\n<p>The binary data is in the byte array <em>data2, <\/em>and <em>Assembly.Load(data2) <\/em>loads the binary data as an assembly into the current application domain. <em>Activator.CreateInstance(type, args) <\/em>creates the instance and will start execution of the loaded assembly.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"704\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-1024x704.png\" alt=\"\" class=\"wp-image-7386\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-1024x704.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-300x206.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-768x528.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-370x254.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-270x186.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-435x300.png 435w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1-740x509.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1.png 1413w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Use of <em>Assembly.Load<\/em> to load the assembly<\/figcaption><\/figure><\/div>\n\n\n<p>The loaded module is called \u201cAads\u201d, and can be seen under the dnSpy Module tab, which I saved as a DLL. This \u201cAads.dll\u201d will be the next stage, namely stage 2.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"212\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-1024x212.png\" alt=\"\" class=\"wp-image-7387\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-1024x212.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-300x62.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-768x159.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-1536x318.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-370x77.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-270x56.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1-740x153.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The module \u201cAads.dll\u201d can be observed under the Modules Tab<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Stage 2: Aads.dll<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Determining the File Attributes<\/strong><\/h3>\n\n\n\n<p>The \u201cAads.dll\u201d has the following attributes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SHA1 hash of \u201c244000E9D84ABB5E0C78A2E01B36DDAD8958D943\u201d&nbsp;<\/li>\n\n\n\n<li>MIME type of \u201capplication\/x-dosexec\u201d&nbsp;<\/li>\n\n\n\n<li>PE32 executable (DLL) (console) Intel 80386 Mono\/.Net assembly, for MS Windows<\/li>\n<\/ul>\n\n\n\n<p>Putting \u201cAads.dll\u201d through DIE (Detect it Easy) showed that it\u2019s a DLL (Dynamic Link Library), where the Library is \u201c.NET(v2.0.50727)[-]\u201d and the Linker is the \u201cMicrosoft Linker(8.0)[DLL32]\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"530\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-1.png\" alt=\"\" class=\"wp-image-7388\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-1.png 720w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-1-300x221.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-1-370x272.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-1-270x199.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-1-80x60.png 80w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><figcaption class=\"wp-element-caption\">\u201cAads.dll\u201d on DIE shows the Library and Linker<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Static Analysis with the Decompiler<\/strong><\/h3>\n\n\n\n<p>I opened \u201cAads.dll\u201d in dnSpy 32-bit like the previous stage. There\u2019s a lot of sorting and searching functions, but no code related to infostealing was observed. Based on the static analysis of \u201cAads.dll\u201d, it seems like some data will be rearranged into data that is responsible for the next stage.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"516\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-1024x516.png\" alt=\"\" class=\"wp-image-7389\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-1024x516.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-300x151.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-768x387.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-1536x775.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-370x187.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-270x136.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1-740x373.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-1.png 1824w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decompiling the \u201cAads.dll\u201d on dnSpy reveals a bunch of search and sort functions<\/figcaption><\/figure><\/div>\n\n\n<p>Back in Stage 1, <em>GetObject() <\/em>was used to get data from the Resources that was decrypted into the Stage 2 DLL. Thus, I decided to look for <em>GetObject()<\/em>, in the hopes of finding the source data of the next stage.<\/p>\n\n\n\n<p>After looking around, I found <em>GetObject(x10)<\/em>. Here, it uses the image data from a file, and this resource name is specified inside string variable <em>x10<\/em>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"464\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1-1024x464.png\" alt=\"\" class=\"wp-image-7390\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1-1024x464.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1-300x136.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1-768x348.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1-370x168.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1-270x122.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1-740x335.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-1.png 1499w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Usage of <em>GetObject()<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Dynamic Analysis with the Debugger\u00a0<\/strong><\/h3>\n\n\n\n<p>I set the breakpoints on Line 475 and 477, and ran the debugger. I could see that <em>x10 <\/em>was \u201civmSL\u201d when run until Line 475.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"516\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-1024x516.png\" alt=\"\" class=\"wp-image-7391\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-1024x516.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-300x151.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-768x387.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-1536x773.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-370x186.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-270x136.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1-740x373.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Obtaining the filename used for <em>GetObject() <\/em>with the debugger<\/figcaption><\/figure><\/div>\n\n\n<p>The \u201civmsL\u201d is under Airplane.Travelling\u2019s resources. A noisy grainy image which looked like steganography could be observed.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"380\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-1024x380.png\" alt=\"\" class=\"wp-image-7392\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-1024x380.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-300x111.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-768x285.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-1536x570.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-370x137.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-270x100.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1-740x275.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-1.png 1914w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The steganography image \u201civmsL\u201d that is used in <em>GetObject()<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This is the contents of the file \u201civmsL\u201d when viewed in the memory.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1-1024x521.png\" alt=\"\" class=\"wp-image-7393\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1-1024x521.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1-300x153.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1-768x391.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1-370x188.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1-270x137.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1-740x376.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-1.png 1408w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of \u201civmsL\u201d in the memory<\/figcaption><\/figure><\/div>\n\n\n<p>This image bitmap data will then go through various byte array searching and sorting algorithms. These include Heapsorts, Quicksorts.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"723\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1-1024x723.png\" alt=\"\" class=\"wp-image-7394\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1-1024x723.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1-300x212.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1-768x542.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1-370x261.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1-270x191.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1-740x522.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1.png 1408w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Contents of the byte array <em>array<\/em> before the sorting is complete<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"351\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1-1024x351.png\" alt=\"\" class=\"wp-image-7395\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1-1024x351.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1-300x103.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1-768x263.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1-370x127.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1-270x93.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1-740x254.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1.png 1409w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Contents of the byte array <em>array <\/em>in memory before the sorting is complete<\/figcaption><\/figure><\/div>\n\n\n<p>After various searching and sorting operations, I could see that <em>array[0]<\/em> contained 0x4D (\u201cM\u201d in ASCII) and <em>array[1]<\/em> contained 0x5A (\u201cZ\u201d in ASCII). This indicates that it\u2019s the start of the DOS header (\u201cMZ..\u201d).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-1024x580.png\" alt=\"\" class=\"wp-image-7396\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-1024x580.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-300x170.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-768x435.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-1536x869.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-370x209.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-270x153.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1-740x419.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>array <\/em>when sorting is complete, which shows the start of the DOS header<\/figcaption><\/figure><\/div>\n\n\n<p>Viewing <em>array<\/em> in memory showed the DOS header (indicated by \u201cMZ\u201d), DOS Stub (indicated by \u201cThis program cannot be run in DOS mode\u201d), and the PE header (indicated by \u201cPE\u201d).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"353\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-1024x353.png\" alt=\"\" class=\"wp-image-7397\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-1024x353.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-300x103.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-768x264.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-1536x529.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-370x127.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-270x93.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1-740x255.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>array <\/em>in memory when sorting is complete<\/figcaption><\/figure><\/div>\n\n\n<p>The loaded module is called \u201cTyrone\u201d, and can be seen under the dnSpy Module tab, which I saved as a DLL. This \u201cTyrone.dll\u201d will be the next stage, namely stage 3.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"260\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-1024x260.png\" alt=\"\" class=\"wp-image-7398\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-1024x260.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-300x76.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-768x195.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-1536x390.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-370x94.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-270x69.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1-740x188.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The module \u201cTyrone.dll\u201d can be observed under the Modules Tab<\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSee how <span class=\"highlight\">ANY.RUN<\/span> can help <span class=\"highlight\">your security team<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" rel=\"noopener\" target=\"_blank\">\nSchedule a demo\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Stage 3: Tyrone.dll<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Determining the File Attributes<\/strong><\/h3>\n\n\n\n<p>The \u201cTyrone.dll\u201d has the following attributes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SHA1 hash of \u201c6523D31662B71A65533B11DA299240F0E8C1FF2C\u201d&nbsp;<\/li>\n\n\n\n<li>MIME type of \u201capplication\/x-dosexec\u201d&nbsp;<\/li>\n\n\n\n<li>PE32 executable (DLL) (console) Intel 80386 Mono\/.Net assembly, for MS Windows<\/li>\n<\/ul>\n\n\n\n<p>Putting \u201cTyrone.dll\u201d through DIE (Detect it Easy) showed that it\u2019s a DLL (Dynamic Link Library), where the Library is \u201c.NET(v2.0.50727)[-]\u201d, Compiler is \u201cVB.NET(-)[-]\u201d and the Linker is \u201cMicrosoft Linker(8.0)[DLL32]\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"717\" height=\"528\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1.png\" alt=\"\" class=\"wp-image-7399\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1.png 717w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1-300x221.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1-370x272.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1-270x199.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1-80x60.png 80w\" sizes=\"(max-width: 717px) 100vw, 717px\" \/><figcaption class=\"wp-element-caption\">\u201cTyrone.dll\u201d on DIE shows the Library, Compiler, and Linker<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Deobfuscation&nbsp;<\/strong><\/h3>\n\n\n\n<p>\u201cTyrone.dll\u201d was opened in dnSpy 32-bit, and is heavily obfuscated. The Class and function names were not human-readable, and the code was difficult to analyze.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-1024x521.png\" alt=\"\" class=\"wp-image-7400\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-1024x521.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-300x153.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-768x391.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-1536x782.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-370x188.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-270x137.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1-740x377.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1.png 1913w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decompiling the \u201cTyrone.dll\u201d on dnSpy reveals obfuscated code<\/figcaption><\/figure><\/div>\n\n\n<p>I deobfuscated \u201cTyrone.dll\u201d using .NET Reactor Slayer, with all options selected.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"607\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1-1024x607.png\" alt=\"\" class=\"wp-image-7401\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1-1024x607.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1-300x178.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1-768x456.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1-370x219.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1-270x160.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1-740x439.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1.png 1047w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Deobfuscating the \u201cTyrone.dll\u201d<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Static Analysis with the Decompiler<\/strong><\/h3>\n\n\n\n<p>After deobfuscating, the code was much easier to read. After looking around, a bunch of junk code related to a \u201cpandemic simulation\u201d was observed. I know they are junk code, because these functionalities were never observed back in <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\" target=\"_blank\" rel=\"noreferrer noopener\">my sandbox analysis<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"731\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1-1024x731.png\" alt=\"\" class=\"wp-image-7402\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1-1024x731.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1-300x214.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1-768x548.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1-370x264.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1-270x193.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1-740x528.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1.png 1450w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A bunch of junk code were observed in \u201cTyrone.dll\u201d<\/figcaption><\/figure><\/div>\n\n\n<p>After looking around the deobfuscated code, there was no function that performed the infostealer activities. This means that there is likely a next stage.\u00a0<\/p>\n\n\n\n<p>Thus, I looked for <em>GetObject() <\/em>again. As expected, there was <em>GetObject(),<\/em> which gets the data from a resource whose name is specified by string variable <em>string_0<\/em>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"448\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1-1024x448.png\" alt=\"\" class=\"wp-image-7403\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1-1024x448.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1-300x131.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1-768x336.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1-370x162.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1-270x118.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1-740x324.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1.png 1277w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Usage of <em>GetObject()<\/em><br><\/figcaption><\/figure><\/div>\n\n\n<p>Based on static analysis of the deobfuscated code, a bunch of sorting takes place on the byte array data from <em>GetObject()<\/em>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Dynamic Analysis with the Debugger\u00a0<\/strong><\/h3>\n\n\n\n<p><em>UmHYCAPJIp()<\/em> and <em>\\u0020 <\/em>in the obfuscated code corresponds to <em>method_0()<\/em> and <em>string_0 <\/em>respectively in the deobfuscated code. Breakpoints were set on the obfuscated code, and after running until the breakpoint, <em>\\u0020<\/em> was\u00a0 \u201cwHzyWQnRZ\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"397\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-1024x397.png\" alt=\"\" class=\"wp-image-7404\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-1024x397.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-300x116.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-768x297.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-1536x595.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-370x143.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-270x105.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1-740x287.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Obtaining the filename used for <em>GetObject() <\/em>with the debugger<\/figcaption><\/figure><\/div>\n\n\n<p>The \u201cwHzyWQnRZ\u201d is under the Resources of \u201cTyrone\u201d, and the contents were a bunch of gibberish when viewed in the memory.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"273\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-1024x273.png\" alt=\"\" class=\"wp-image-7405\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-1024x273.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-300x80.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-768x205.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-1536x410.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-370x99.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-270x72.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1-740x197.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of \u201cwHzyWQnRZ\u201d in the memory<\/figcaption><\/figure><\/div>\n\n\n<p>I let the program run, and after a bunch of byte array rearranging, I could see that <em>\\u0020[0]<\/em> contained 0x4D (\u201cM\u201d in ASCII) and <em>\\u0020[1]<\/em> contained 0x5A (\u201cZ\u201d in ASCII). This indicates that it\u2019s the start of the DOS header (\u201cMZ..\u201d).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"698\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-1024x698.png\" alt=\"\" class=\"wp-image-7406\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-1024x698.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-300x205.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-768x524.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-1536x1047.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-370x252.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-270x184.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1-740x505.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34-1.png 1974w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>\\u0020 <\/em>after the sorting is complete, which shows the start of the DOS header<\/figcaption><\/figure><\/div>\n\n\n<p>Viewing <em>\\u0020<\/em> in memory showed the DOS header (indicated by \u201cMZ\u201d), DOS Stub (indicated by \u201cThis program cannot be run in DOS mode\u201d), and the PE header (indicated by \u201cPE\u201d). This is the next stage executable, namely stage 4, and I saved this as an EXE file.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"215\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-1024x215.png\" alt=\"\" class=\"wp-image-7407\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-1024x215.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-300x63.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-768x161.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-1536x322.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-370x78.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-270x57.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1-740x155.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The contents of byte array <em>\\u0020 <\/em>in memory when sorting is complete<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Stage 4: lfwhUWZlmFnGhDYPudAJ.exe<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Determining the File Attributes<\/strong><\/h3>\n\n\n\n<p>This stage\u2019s executable was called \u201clfwhUWZlmFnGhDYPudAJ.exe\u201d, and has the following attributes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SHA1 Hash of \u201c86BE2A34EACBC0806DBD61D41B9D83A65AEF69C5\u201d<\/li>\n\n\n\n<li>MIME type of \u201capplication\/x-dosexec\u201d&nbsp;<\/li>\n\n\n\n<li>PE32 executable (GUI) Intel 80386 Mono\/.Net assembly, for MS Windows<\/li>\n<\/ul>\n\n\n\n<p>Putting \u201clfwhUWZlmFnGhDYPudAJ.exe\u201d through DIE (Detect it Easy) showed that the Library is \u201c.NET(v4.0.30319)[-]\u201d, Compiler is \u201cVB.NET(-)[-]\u201d, and Linker is \u201cMicrosoft Linker(80.0)[GUI32,admin]\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"759\" height=\"507\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-1.png\" alt=\"\" class=\"wp-image-7408\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-1.png 759w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-1-300x200.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-1-370x247.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-1-270x180.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-1-740x494.png 740w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><figcaption class=\"wp-element-caption\">\u201clfwhUWZlmFnGhDYPudAJ.exe\u201d on DIE shows the Library, Compiler and Linker<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Sandbox Analysis<\/strong><\/h3>\n\n\n\n<p>Detonating \u201clfwhUWZlmFnGhDYPudAJ.exe\u201d in an ANY.RUN sandbox showed that it was detected as a Snake Keylogger. The task can be found <a href=\"https:\/\/app.any.run\/tasks\/eb335b0c-be42-4a11-a860-f3d9b0eafebb\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=snake_keylogger_analysis&amp;utm_content=linktoservice&amp;utm_term=250324\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"702\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-1024x702.png\" alt=\"\" class=\"wp-image-7409\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-1024x702.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-300x206.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-768x526.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-1536x1052.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-370x253.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-270x185.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1-740x507.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The overview of \u201clfwhUWZlmFnGhDYPudAJ.exe\u201d in an ANY.RUN sandbox<\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware in <span class=\"highlight\">the ANY.RUN sandbox<\/span> for free&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Deobfuscation<\/strong><\/h3>\n\n\n\n<p>\u201clfwhUWZlmFnGhDYPudAJ.exe\u201d was opened in dnSpy 32-bit, and was heavily obfuscated. The class and function names were not human-readable, and the code was difficult to follow. I deobfuscated it using .NET Reactor Slayer again with all the options selected.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"531\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-1024x531.png\" alt=\"\" class=\"wp-image-7410\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-1024x531.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-300x155.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-768x398.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-1536x796.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-370x192.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-270x140.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38-740x384.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/38.png 1916w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decompiling the \u201clfwhUWZlmFnGhDYPudAJ.exe\u201d on dnSpy reveals obfuscated code<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"607\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39-1024x607.png\" alt=\"\" class=\"wp-image-7411\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39-1024x607.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39-300x178.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39-768x455.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39-370x219.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39-270x160.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39-740x438.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/39.png 1048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Deobfuscating the \u201clfwhUWZlmFnGhDYPudAJ.exe\u201d<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Renaming the Class and Functions<\/strong><\/h3>\n\n\n\n<p>After deobfuscation, the code was much easier to read. After looking around, the infostealing functionalities were finally found. In order to better understand and follow the code, I did a lot of manual renaming of the class and functions. All the modified names have \u201clena_\u201d prefix.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"424\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-1024x424.png\" alt=\"\" class=\"wp-image-7412\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-1024x424.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-300x124.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-768x318.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-1536x636.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-370x153.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-270x112.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40-740x306.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/40.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The left shows the deobfuscated code, and the right shows the deobfuscated and manually renamed code<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Analyzing the Snake Keylogger Code&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Extracting the Malware Config<\/strong><\/h3>\n\n\n\n<p>In this section, I will be analyzing the Snake Keylogger code that is responsible for the malicious activities.&nbsp;<\/p>\n\n\n\n<p>The malware config was observed in Class6, however it was encrypted with a hard coded encryption key.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"543\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-1024x543.png\" alt=\"\" class=\"wp-image-7413\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-1024x543.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-300x159.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-768x407.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-1536x814.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-370x196.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-270x143.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41-740x392.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/41.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The malware config that contains the encryption key, and the encrypted SMTP information<\/figcaption><\/figure><\/div>\n\n\n<p>The config is decrypted using <em>lena_crypt(), <\/em>with the hardcoded key <em>lena_key<\/em>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"413\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/42.png\" alt=\"\" class=\"wp-image-7414\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/42.png 979w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/42-300x127.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/42-768x324.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/42-370x156.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/42-270x114.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/42-740x312.png 740w\" sizes=\"(max-width: 979px) 100vw, 979px\" \/><figcaption class=\"wp-element-caption\">The algorithm used for decrypting the SMTP information<\/figcaption><\/figure><\/div>\n\n\n<p>I converted this decryption code to Python. The first 8 bytes of the MD5 hash of \u201cBsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr\u201d is used for the decryption key, namely \u201c6fc98cd68a1aab8b\u201d. It uses this key to decrypt the Base64 decoded config string with DES (ECB mode).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from Crypto.Cipher import DES\nfrom Crypto.Hash import MD5\nimport base64\n\n\n\n\ndef lena_decrypt_snake(text, key_string):\n  try:\n      key = MD5.new(key_string.encode('ascii')).digest()&#091;:8]\n      cipher = DES.new(key, DES.MODE_ECB)\n      decrypted_data = cipher.decrypt(base64.b64decode(text))\n      decrypted_text = decrypted_data.decode('ascii', errors='ignore')\n      padding_len = decrypted_data&#091;-1]\n      if padding_len &lt; len(decrypted_data):\n          return decrypted_text&#091;:-padding_len]\n      return decrypted_text\n\n\n  except Exception as e:\u200b\u200b\n      return str(e)\n\n\nlena_key = \"BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr\"\nprint(\"lena_sender_email_addr: \", lena_decrypt_snake(\"I22WW+qzjWDd9uzIPosYRadxnZcjebFO\", lena_key))\nprint(\"lena_sender_email_pw: \", lena_decrypt_snake(\"MrZp4p9eSu2QFqjr3GQpbw==\", lena_key))\nprint(\"lena_SMTP_server: \", lena_decrypt_snake(\"XHGvc06cCeeEGUtcErhxrCgs7X5wecJ1Yx74dJ0TP3M=\", lena_key))\nprint(\"lena_receiver_email_addr: \", lena_decrypt_snake(\"I22WW+qzjWDd9uzIPosYRadxnZcjebFO\", lena_key))\nprint(\"lena_SMTP_port: \", lena_decrypt_snake(\"oXrxxBiV5W8=\", lena_key))\nprint(\"lena_padding: \", lena_decrypt_snake(\"Yx74dJ0TP3M=\", lena_key))<\/code><\/pre>\n\n\n\n<p class=\"has-text-align-center\"><em>The Python code that decrypts the SMTP information<\/em><\/p>\n\n\n\n<p>When I ran the Python code with the strings in Class6, the malware config revealed itself. These were the SMTP information used for exfiltrating the data, which included the sender email address, password, SMTP server, recipient email address, and SMTP port. These are the same credentials observed in the <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#analyzing-the-network-activities-5924\" target=\"_blank\" rel=\"noreferrer noopener\">Snake Keylogger Sandbox Analysis<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"996\" height=\"320\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/43.png\" alt=\"\" class=\"wp-image-7415\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/43.png 996w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/43-300x96.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/43-768x247.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/43-370x119.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/43-270x87.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/43-740x238.png 740w\" sizes=\"(max-width: 996px) 100vw, 996px\" \/><figcaption class=\"wp-element-caption\">The decrypted SMTP information obtained from the Python code<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>The Main Functionalities&nbsp;<\/strong><\/h3>\n\n\n\n<p>Let\u2019s take a look at what the actual payload of the Snake Keylogger does. It starts off by moving the executable to the Temp directory, and naming it after the current time.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"120\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-1024x120.png\" alt=\"\" class=\"wp-image-7416\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-1024x120.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-300x35.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-768x90.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-1536x179.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-370x43.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-270x32.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44-740x86.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/44.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for moving the executable to Temp<\/figcaption><\/figure><\/div>\n\n\n<p>After that, it will collect data from various places, including Browsers (e.g. Chrome, Comodo, Opera, Microsoft Edge, etc.), Applications (e.g. Outlook, Discord, etc.).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"632\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45-1024x632.png\" alt=\"\" class=\"wp-image-7417\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45-1024x632.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45-300x185.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45-768x474.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45-370x228.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45-270x167.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45-740x457.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/45.png 1398w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The calls from <em>Main()<\/em> that collects data from various places, mostly browsers<\/figcaption><\/figure><\/div>\n\n\n<p>For example, this is the code segment responsible for collecting login data from Chrome. The login data file for Chrome is in \u201c\\Google\\Chrome\\User Data\\Default\\Login Data\u201d, and is a SQLite database file that contains saved login information.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"613\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46-1024x613.png\" alt=\"\" class=\"wp-image-7418\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46-1024x613.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46-300x180.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46-768x460.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46-370x221.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46-270x162.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46-740x443.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/46.png 1402w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for collecting Chrome login data<\/figcaption><\/figure><\/div>\n\n\n<p>This is the code segment responsible for collecting saved login data from Microsoft Edge. The login data file for Microsoft Edge is in \u201c\\Microsoft\\Edge\\User Data\\Default\\Login Data\u201d, and is a SQLite database file that contains saved login information.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47-1024x604.png\" alt=\"\" class=\"wp-image-7419\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47-1024x604.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47-300x177.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47-768x453.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47-370x218.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47-270x159.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47-740x437.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/47.png 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for collecting Microsoft Edge login data<\/figcaption><\/figure><\/div>\n\n\n<p>It also collects authentication tokens from Discord, and this is the code segment responsible for it. Discord stores its LevelDB database files in \u201c\\discord\\Local Storage\\leveldb\u201d, and may contain the user\u2019s authentication token. With the authentication token, the attacker can gain unauthorized access to the victim\u2019s Discord account without a password.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"297\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48-1024x297.png\" alt=\"\" class=\"wp-image-7420\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48-1024x297.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48-300x87.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48-768x223.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48-370x107.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48-270x78.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48-740x215.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/48.png 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for collecting Discord tokens<\/figcaption><\/figure><\/div>\n\n\n<p>Finally, it will exfiltrate all this collected information, via FTP, SMTP, or Telegram.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"508\" height=\"72\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/49.png\" alt=\"\" class=\"wp-image-7421\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/49.png 508w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/49-300x43.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/49-370x52.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/49-270x38.png 270w\" sizes=\"(max-width: 508px) 100vw, 508px\" \/><figcaption class=\"wp-element-caption\">The calls from <em>Main()<\/em> that exfiltrates the collected data<\/figcaption><\/figure><\/div>\n\n\n<p>This is the code responsible for exfiltrating with FTP. If the Snake Keylogger is configured to use FTP, it creates a FTP request. The FTP credentials are hard-coded into the Snake Keylogger code (\u201clena_padding_1\u201d and \u201clena_padding_2\u201d in this case), however, this Snake Keylogger sample is configured to use SMTP, so the code does not include the FTP credentials. Once the stolen data is prepared, it uploads it to the server with FTP.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"430\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50-1024x430.png\" alt=\"\" class=\"wp-image-7422\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50-1024x430.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50-300x126.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50-768x323.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50-370x155.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50-270x113.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50-740x311.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/50.png 1405w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for FTP exfiltration<\/figcaption><\/figure><\/div>\n\n\n<p>This Snake Keylogger sample is configured to use SMTP by default, and this is the code responsible for exfiltrating with SMTP. If the Snake Keylogger is configured to use SMTP, it constructs an email with <em>MailMessage<\/em>, and prepares the email sender address, receiver address, subject, body, and the stolen data as a text attachment. It then uses the SMTP credentials hardcoded in the malware configuration to authenticate and exfiltrate via SMTP with <em>smtpClient.Send().<\/em><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"396\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51-1024x396.png\" alt=\"\" class=\"wp-image-7423\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51-1024x396.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51-300x116.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51-768x297.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51-370x143.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51-270x104.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51-740x286.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/51.png 1398w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for SMTP exfiltration<\/figcaption><\/figure><\/div>\n\n\n<p>This is the code responsible for exfiltrating with Telegram. If the Snake Keylogger is configured to use Telegram, it creates the Telegram API request URL, with the bot token (\u201clena_padding_4\u201d in this case) and chat ID (\u201clena_padding_5\u201d in this case) where the data will be sent. However, this Snake Keylogger sample is configured to use SMTP, so the code does not include the Telegram bot token and chat ID.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"477\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52-1024x477.png\" alt=\"\" class=\"wp-image-7425\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52-1024x477.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52-300x140.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52-768x358.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52-370x172.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52-270x126.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52-740x345.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/52.png 1399w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for Telegram exfiltration<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Other Interesting Functionalities&nbsp;<\/strong><\/h3>\n\n\n\n<p>Here are some other interesting code segments in the Snake Keylogger. This code segment searches and kills processes related to security and monitoring. These processes include antiviruses (Norton, F-Prot, Avira, Kaspersky aka Avp, etc.), network monitoring tools (Wireshark, Snort, etc.), debuggers (OllyDbg, etc.), firewalls (ZoneAlarm, Outpost, BlackIce, etc.).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"703\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-1024x703.png\" alt=\"\" class=\"wp-image-7426\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-1024x703.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-300x206.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-768x527.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-370x254.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-270x185.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-435x300.png 435w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53-740x508.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/53.png 1060w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for searching and killing processes related to security and monitoring<\/figcaption><\/figure><\/div>\n\n\n<p>This code is responsible for taking screenshots. It uses a <em>Graphics <\/em>object to capture the entire screen, saves this as a PNG in the \u201cSnakeKeylogger\u201d folder, and exfiltrates it.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"483\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54-1024x483.png\" alt=\"\" class=\"wp-image-7427\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54-1024x483.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54-300x142.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54-768x362.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54-370x175.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54-270x127.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54-740x349.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/54.png 1140w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for taking screenshots<\/figcaption><\/figure><\/div>\n\n\n<p>This code is responsible for stealing and exfiltrating clipboard data.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"461\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55-1024x461.png\" alt=\"\" class=\"wp-image-7428\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55-1024x461.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55-300x135.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55-768x346.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55-370x167.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55-270x122.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55-740x333.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/55.png 1331w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for stealing and exfiltrating clipboard data<\/figcaption><\/figure><\/div>\n\n\n<p>There is a Keylogger class that is responsible for the keylogging activities.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"465\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-1024x465.png\" alt=\"\" class=\"wp-image-7429\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-1024x465.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-300x136.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-768x349.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-1536x698.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-370x168.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-270x123.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56-740x336.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/56.png 1902w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The Keylogger class with Keylogging functions<\/figcaption><\/figure><\/div>\n\n\n<p>It monitors keystrokes with the event handler for the <em>KeyDown<\/em> and <em>KeyUp <\/em>event<em>.<\/em><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-1024x421.png\" alt=\"\" class=\"wp-image-7430\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-1024x421.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-300x123.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-768x316.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-1536x631.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-370x152.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-270x111.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57-740x304.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/57.png 1986w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Code segment related to keystroke monitoring<\/figcaption><\/figure><\/div>\n\n\n<p>It also identifies the keystrokes, and checks for special keys like Backspace, Tab, Enter, Space, End, Delete, etc.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"777\" height=\"993\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/58.png\" alt=\"\" class=\"wp-image-7431\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/58.png 777w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/58-235x300.png 235w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/58-768x981.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/58-370x473.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/58-270x345.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/58-740x946.png 740w\" sizes=\"(max-width: 777px) 100vw, 777px\" \/><figcaption class=\"wp-element-caption\">Code segment related to keystroke identification<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Modding the Malware<\/h2>\n\n\n\n<p>Before we get into this section, please understand that we are only going to mod the malware to make analysis easier. Please do not abuse this knowledge!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Modding Anti-Analysis Functionalities&nbsp;<\/strong><\/h3>\n\n\n\n<p>If I tried to run the Stage 4 payload in an environment not connected to the internet, an exception will be thrown and will exit.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"467\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59-1024x467.png\" alt=\"\" class=\"wp-image-7432\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59-1024x467.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59-300x137.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59-768x350.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59-370x169.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59-270x123.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59-740x337.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/59.png 1396w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">An exception is thrown<\/figcaption><\/figure><\/div>\n\n\n<p>I edited the code, so that the Snake Keylogger will not terminate execution depending on internet connectivity, and not check the IP with <em>checkip.dyndns.org<\/em> as observed in the <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#analyzing-the-network-activities-5924\" target=\"_blank\" rel=\"noreferrer noopener\">Snake Keylogger Sandbox Analysis<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"513\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60-1024x513.png\" alt=\"\" class=\"wp-image-7433\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60-1024x513.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60-300x150.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60-768x385.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60-370x185.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60-270x135.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60-740x371.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/60.png 1302w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for connectivity checks are commented out<\/figcaption><\/figure><\/div>\n\n\n<p>Upon execution, it will delete itself as observed in the <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#analyzing-the-network-activities-5924\" target=\"_blank\" rel=\"noreferrer noopener\">Snake Keylogger Sandbox Analysis<\/a>. Thus, I\u2019ve modded it so it doesn\u2019t delete itself to make debugging easier.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-1024x576.png\" alt=\"\" class=\"wp-image-7434\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-1024x576.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-300x169.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-768x432.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-1536x864.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-370x208.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-270x152.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61-740x416.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/61.png 1828w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for self-deletion is commented out<\/figcaption><\/figure><\/div>\n\n\n<p>Upon execution, it will move itself to Temp as also observed in <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#analyzing-the-network-activities-5924\" target=\"_blank\" rel=\"noreferrer noopener\">Snake Keylogger Sandbox Analysis<\/a>. Thus, I also modded it so it does not move itself to Temp.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"307\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-1024x307.png\" alt=\"\" class=\"wp-image-7435\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-1024x307.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-300x90.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-768x230.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-1536x461.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-370x111.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-270x81.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62-740x222.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/62.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The code responsible for moving to Temp is commented out<\/figcaption><\/figure><\/div>\n\n\n<p>It will now continue execution without being connected to the internet, not delete itself or move itself to Temp after this modification. This will make dynamic analysis in the isolated malware analysis environment easier.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nConduct sandbox analysis of Snake and other malware <br>in <span class=\"highlight\">ANY.RUN<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Modding the SMTP credentials<\/strong><\/h3>\n\n\n\n<p>I wrote a script in Python that encrypts the malware config. I made a throwaway Outlook account, where the SMTP server is <em>smtp-mail.outlook.com.<\/em>&nbsp;<\/p>\n\n\n\n<p>The first 8 bytes of the MD5 hash of \u201cBsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr\u201d is used for the decryption key, namely \u201c6fc98cd68a1aab8b\u201d. It then uses this key to encrypt the string with DES (ECB mode), and Base64 encoding is applied to the encrypted string.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from Crypto.Cipher import DES\nfrom Crypto.Hash import MD5\nfrom Crypto.Util.Padding import pad\nimport base64\n\n\ndef lena_encrypt_snake(plaintext, key_string):\n   try:\n       key = MD5.new(key_string.encode('ascii')).digest()&#091;:8]\n       cipher = DES.new(key, DES.MODE_ECB)\n       padded_text = pad(plaintext.encode('ascii'), DES.block_size)\n       encrypted_data = cipher.encrypt(padded_text)\n       encrypted_text = base64.b64encode(encrypted_data).decode('ascii')\n       return encrypted_text\n   except Exception as e:\n       return str(e)\n\n\nlena_key = \"BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr\"\nprint(\"lena_sender_email_addr: \", lena_encrypt_snake(\"&lt;REDACTED>@outlook.com\", lena_key))\nprint(\"lena_sender_email_pw: \", lena_encrypt_snake(\"&lt;REDACTED>\", lena_key))\nprint(\"lena_SMTP_server: \", lena_encrypt_snake(\"smtp-mail.outlook.com\", lena_key))\nprint(\"lena_receiver_email_addr: \", lena_encrypt_snake(\"&lt;REDACTED>@proton.me\", lena_key))\nprint(\"lena_SMTP_port: \", lena_encrypt_snake(\"587\", lena_key))<\/code><\/pre>\n\n\n\n<p class=\"has-text-align-center\"><em>The Python code that encrypts the SMTP information<\/em><\/p>\n\n\n\n<p>I ran the SMTP information through the encryption code.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"176\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63-1024x176.png\" alt=\"\" class=\"wp-image-7436\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63-1024x176.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63-300x52.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63-768x132.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63-370x64.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63-270x47.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63-740x128.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/63.png 1445w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The encrypted SMTP information obtained from the Python code<\/figcaption><\/figure><\/div>\n\n\n<p>I added that into the malware config, and changed TLS to \u201cTrue\u201d as Outlook SMTP requires STARTTLS\/TLS on port 587.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"460\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-1024x460.png\" alt=\"\" class=\"wp-image-7438\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-1024x460.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-300x135.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-768x345.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-1536x690.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-370x166.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-270x121.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64-740x332.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/64.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The modified and encrypted SMTP information is added to the config<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Modding for Customization<\/strong><\/h3>\n\n\n\n<p>I changed the executable icon to my profile picture, and the file details using Resource Hacker.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"510\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65-1024x510.png\" alt=\"\" class=\"wp-image-7439\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65-1024x510.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65-300x149.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65-768x382.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65-370x184.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65-270x134.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65-740x368.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/65.png 1067w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Using Resource Hacker to customize the File details<\/figcaption><\/figure><\/div>\n\n\n<p>I also added some functionality that changes the background picture, so I know when the Snake Keylogger has executed. I added my signature digital white snake wallpaper under the Resources.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"160\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66-1024x160.png\" alt=\"\" class=\"wp-image-7440\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66-1024x160.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66-300x47.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66-768x120.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66-370x58.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66-270x42.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66-740x115.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/66.png 1070w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Lena\u2019s Digital White Snake Wallpaper<\/figcaption><\/figure><\/div>\n\n\n<p>I added a new function <em>lena_snek() <\/em>that gets the image from Resources, temporarily saves it as a PNG in \/Temp, and sets that as the background picture when the executable starts.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"278\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-1024x278.png\" alt=\"\" class=\"wp-image-7441\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-1024x278.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-300x81.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-768x208.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-1536x416.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-370x100.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-270x73.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67-740x201.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/67.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Code segment for background change<\/figcaption><\/figure><\/div>\n\n\n<p>I also added a new function <em>lena_save_txt() <\/em>that saves the collected information on the Desktop as \u201cPasswords.txt\u201d and \u201cUser.txt\u201d, so I can observe what was stolen without viewing the PCAP or have access to the exfiltration email.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"201\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-1024x201.png\" alt=\"\" class=\"wp-image-7442\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-1024x201.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-300x59.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-768x150.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-1536x301.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-370x72.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-270x53.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68-740x145.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/68.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Code segment for saving collected information as a text file<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Executing the Modded Malware in a Sandbox<\/strong><\/h3>\n\n\n\n<p>I detonated the modded Snake Keylogger in the ANY.RUN Sandbox, which can be found <a href=\"https:\/\/app.any.run\/tasks\/74a1951f-a953-486b-9e89-0450fc5e71c2\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=snake_keylogger_analysis&amp;utm_content=linktoservice&amp;utm_term=250324\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-1024x571.png\" alt=\"\" class=\"wp-image-7443\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-1024x571.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-300x167.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-768x428.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-1536x856.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-370x206.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-270x150.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69-740x412.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/69.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Before detonating the modded Snake Keylogger on an ANY.RUN Sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>Upon execution, the background changed to my digital white snake wallpaper. This indicates that the modded Snake Keylogger has successfully executed.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"575\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-1024x575.png\" alt=\"\" class=\"wp-image-7444\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-1024x575.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-300x168.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-768x431.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-1536x863.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-370x208.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-270x152.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70-740x416.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/70.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Detonating the modded Snake Keylogger on an ANY.RUN Sandbox changes the background<\/figcaption><\/figure><\/div>\n\n\n<p>Shortly after, \u201cPasswords.txt\u201d and \u201cUser.txt\u201d showed up on the Desktop.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-1024x573.png\" alt=\"\" class=\"wp-image-7445\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-1024x573.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-300x168.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-768x430.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-1536x860.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-370x207.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-270x151.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71-740x414.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/71.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The collected information is saved as a text file on the Desktop<\/figcaption><\/figure><\/div>\n\n\n<p>The contents of \u201cPasswords.txt\u201d and \u201cUser.txt\u201d on the Desktop can be seen below. These are credentials I saved onto Google Chrome before detonating the Snake Keylogger.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-1024x576.png\" alt=\"\" class=\"wp-image-7446\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-1024x576.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-300x169.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-768x432.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-1536x863.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-370x208.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-270x152.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72-740x416.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/72.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">\u201cPasswords.txt\u201d on the left, \u201cUser.txt\u201d on the right in an ANY.RUN sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>After executing the Snake Keylogger, I received the \u201cPasswords.txt\u201d and \u201cUser.txt\u201d from the throwaway Outlook email.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"408\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-1024x408.png\" alt=\"\" class=\"wp-image-7447\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-1024x408.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-300x119.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-768x306.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-1536x611.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-370x147.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-270x107.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73-740x294.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/73.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The email I received from the throwaway email account<\/figcaption><\/figure><\/div>\n\n\n<p>This is consistent with the text file saved onto the Desktop, as well as what was observed back in the PCAP of the <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox analysis<\/a>. However, as Outlook\u2019s SMTP uses TLS\/STARTTLS, the contents of these text files are encrypted and cannot be viewed in the PCAP.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"426\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-1024x426.png\" alt=\"\" class=\"wp-image-7448\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-1024x426.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-300x125.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-768x320.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-1536x639.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-370x154.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-270x112.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74-740x308.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/74.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">\u201cPasswords.txt\u201d on the left, \u201cUser.txt\u201d on the right<\/figcaption><\/figure><\/div>\n\n\n<p>The email can be seen under \u201cSent Items\u201d in my throwaway Outlook account which was used to send the email.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"481\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-1024x481.png\" alt=\"\" class=\"wp-image-7449\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-1024x481.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-300x141.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-768x361.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-1536x721.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-370x174.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-270x127.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75-740x347.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/75.png 1621w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The email from the sender\u2019s perspective<\/figcaption><\/figure><\/div>\n\n\n<p>The malware config can be found in ANY.RUN\u2019s <em>Malware Configuration.<\/em><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-1024x537.png\" alt=\"\" class=\"wp-image-7450\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-1024x537.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-300x157.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-768x403.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-1536x805.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-370x194.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-270x142.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76-740x388.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/76.png 1942w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The Malware Configuration for the Snake Keylogger on ANY.RUN<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>This walkthrough demonstrated the process of reverse engineering a .NET malware, specifically the Snake Keylogger. It also highlighted the importance of employing multiple analysis techniques.<\/p>\n\n\n\n<p>Starting with sandbox analysis to gain a general understanding of the malware&#8217;s expected behavior is crucial for reverse engineering, as it guides us on what to look for especially when faced with various anti-analysis techniques employed by malware authors to deter analysts.<\/p>\n\n\n\n<p>My prior sandbox analysis, <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-snake-keylogger\/#analyzing-the-network-activities-5924\">Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough<\/a>, provided me with insights into what to expect. Thus, despite encountering challenges such as junk code, obfuscation, multiple stages, steganography, dynamic code execution, and code reassembly, I knew what to look for during the reverse engineering process.<\/p>\n\n\n\n<p>Finally, I also demonstrated how malware can be modded to make analysis easier.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=snake_keylogger_analysis&amp;utm_content=linktolanding&amp;utm_term=250324\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> is a cloud-based malware analysis platform designed to support the work of security teams. It boasts a user base of 400,000 professionals who utilize the platform for threat analysis on Windows and Linux cloud virtual machines.<\/p>\n\n\n\n<p>With ANY.RUN, you security team can enjoy:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Instant detection:<\/strong> ANY.RUN can detect malware and identify various malware families using YARA and Suricata rules within approximately 40 seconds of file upload.<\/li>\n\n\n\n<li><strong>Hands-on analysis:<\/strong> In contrast to many automated tools, ANY.RUN offers interactive capabilities, allowing users to engage directly with the virtual machine through their browser. This feature helps prevent zero-day exploits and advanced malware that can bypass signature-based detection.<\/li>\n\n\n\n<li><strong>Low cost:<\/strong> ANY.RUN&#8217;s cloud-based nature makes it a budget-friendly solution for businesses, eliminating the need for setup or maintenance efforts from the DevOps team.<\/li>\n\n\n\n<li><strong>Training functionality:<\/strong> ANY.RUN&#8217;s user-friendly interface enables even junior SOC analysts to quickly learn how to analyze malware and extract indicators of compromise (IOCs).<\/li>\n<\/ul>\n\n\n\n<p>Get a personalized demo of ANY.RUN for your team.<\/p>\n\n\n\n<p><a href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Schedule a call with us \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 1: IOC<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-77\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"6\"\n           data-rows=\"5\"\n           data-wpID=\"77\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Name                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        pago 4094.exe                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Aads.dll                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Tyrone.dll                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        lfwhUWZlmFnGhDYPudAJ.exe                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"F1\"\n                    data-col-index=\"5\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Lena_LambdaMamba_Snake.exe                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1A0F4CC0513F1B56FEF01C815410C6EA                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        60A14FE18925243851E7B89859065C24                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A30BCD0198276E8E28E0E98FA4214E8B                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E2\"\n                    data-col-index=\"4\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        BDEF67C31299A3D0C10E3608C7EE2BDB                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F2\"\n                    data-col-index=\"5\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        E35421E937DC29379780972F64542C05                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A663C9ECF8F488D6E07B892165AE0A3712B0E91F                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        244000E9D84ABB5E0C78A2E01B36DDAD8958D943                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6523D31662B71A65533B11DA299240F0E8C1FF2C                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E3\"\n                    data-col-index=\"4\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        86BE2A34EACBC0806DBD61D41B9D83A65AEF69C5                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F3\"\n                    data-col-index=\"5\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        E4D20697BFE77F4B3E1655906EC61C5B12789F87                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        D483D48C15F797C92C89D2EAFCC9FC7CBE0C02CABE1D9130BB9069E8C897C94C                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6CDEE30BA3189DF070B6A11A2F80E848A28510CEEEC37860705763E9D00620E4                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        D1856C1533C8CA58BAE47A5F354F083A118FF9B36453E06E12C1395BCA2C081E                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E4\"\n                    data-col-index=\"4\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        EC3023ECF592A4F637E7C99B009466AA38BA90B9F9C7FBB550F129BCA285BD6E                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F4\"\n                    data-col-index=\"5\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        CC9C1F2089F73382FA79F6DFBBADBC19BBD39C925659DEA814408F774635495B                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SSDEEP                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        12288:PXPZDbCo\/k+n70P4uR87fD0iBTJj1ijFDTwA:hOz+IPz6\/PF1ihDTwA                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1536:kEMoTcQA2YULtLNvpQy59F\/ok19cIdg9:k3o4rw9pQQX\/ok19c                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6144:HdWdDF+wvgxeg4\/Qa49UbOsipBVPGvi+Ac15m86bZb+25bAwd3W:UNvC4oa1idPHc15m86Z5bAwd3W                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E5\"\n                    data-col-index=\"4\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3072:S1EBMYs5VR1q2ItO1heGHZb7x3AcwiO8jgbY:OOMYs5VR1qmhhHZbxA00b                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F5\"\n                    data-col-index=\"5\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6144:0g3r2NOQ1+5vBb2qQALRuJrrKTuZAiu0A9dDAl2b:0g3r2NOQoqqZUJvKSZAT0A9dDAK                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-77'>\ntable#wpdtSimpleTable-77{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-77 td, table.wpdtSimpleTable77 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 2: Snake Keylogger Config Decryption Python Code<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from Crypto.Cipher import DES\nfrom Crypto.Hash import MD5\nimport base64\n\n\n\n\ndef lena_decrypt_snake(text, key_string):\n  try:\n      key = MD5.new(key_string.encode('ascii')).digest()&#091;:8]\n      cipher = DES.new(key, DES.MODE_ECB)\n      decrypted_data = cipher.decrypt(base64.b64decode(text))\n      decrypted_text = decrypted_data.decode('ascii', errors='ignore')\n      padding_len = decrypted_data&#091;-1]\n      if padding_len &lt; len(decrypted_data):\n          return decrypted_text&#091;:-padding_len]\n      return decrypted_text\n\n\n  except Exception as e:\n      return str(e)<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Introduction In order to understand malware comprehensively, it is essential to employ various analysis techniques and examine it from multiple perspectives. These techniques include behavioral, network, and process analysis during sandbox analysis, as well as static and dynamic analysis during reverse engineering. I (Lena aka LambdaMamba), prefer to begin with sandbox analysis to understand the [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7454,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-7372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Reverse Engineering Snake Keylogger: Full .NET Malware Analysis<\/title>\n<meta name=\"description\" content=\"Discover an in-depth analysis of the Snake Keylogger malware, exposing its config, infostealing features, and anti-analysis techniques.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lena aka LambdaMamba\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"34 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t    \"@context\": \"https:\/\/schema.org\",\n\t    \"@graph\": [\n\t        {\n\t            \"@type\": \"Article\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#article\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/\"\n\t            },\n\t            \"author\": {\n\t                \"name\": \"Lena aka LambdaMamba\",\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"headline\": \"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough\",\n\t            \"datePublished\": \"2024-03-25T09:38:46+00:00\",\n\t            \"dateModified\": \"2024-03-25T09:45:52+00:00\",\n\t            \"mainEntityOfPage\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/\"\n\t            },\n\t            \"wordCount\": 4316,\n\t            \"commentCount\": 2,\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"keywords\": [\n\t                \"ANYRUN\",\n\t                \"cybersecurity\",\n\t                \"malware\",\n\t                \"malware analysis\",\n\t                \"malware behavior\"\n\t            ],\n\t            \"articleSection\": [\n\t                \"Malware Analysis\"\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"CommentAction\",\n\t                    \"name\": \"Comment\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#respond\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebPage\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/\",\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/\",\n\t            \"name\": \"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"datePublished\": \"2024-03-25T09:38:46+00:00\",\n\t            \"dateModified\": \"2024-03-25T09:45:52+00:00\",\n\t            \"description\": \"Discover an in-depth analysis of the Snake Keylogger malware, exposing its config, infostealing features, and anti-analysis techniques.\",\n\t            \"breadcrumb\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#breadcrumb\"\n\t            },\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"ReadAction\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"BreadcrumbList\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#breadcrumb\",\n\t            \"itemListElement\": [\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 1,\n\t                    \"name\": \"Home\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 2,\n\t                    \"name\": \"Malware Analysis\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 3,\n\t                    \"name\": \"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough\"\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebSite\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"description\": \"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"SearchAction\",\n\t                    \"target\": {\n\t                        \"@type\": \"EntryPoint\",\n\t                        \"urlTemplate\": \"https:\/\/any.run\/?s={search_term_string}\"\n\t                    },\n\t                    \"query-input\": \"required name=search_term_string\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Organization\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"logo\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"width\": 1,\n\t                \"height\": 1,\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"image\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"sameAs\": [\n\t                \"https:\/\/www.facebook.com\/www.any.run\/\",\n\t                \"https:\/\/twitter.com\/anyrun_app\",\n\t                \"https:\/\/www.linkedin.com\/company\/30692044\",\n\t                \"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"Person\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"Lena aka LambdaMamba\",\n\t            \"image\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png\",\n\t                \"caption\": \"Lena aka LambdaMamba\"\n\t            },\n\t            \"description\": \"I am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by snakes, which includes the Snake Malware! Check out: \u2022 My website \u2022 My LinkedIn profile\",\n\t            \"sameAs\": [\n\t                \"https:\/\/lambdamamba.com\/\"\n\t            ],\n\t            \"url\": \"#molongui-disabled-link\"\n\t        }\n\t    ]\n\t}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis","description":"Discover an in-depth analysis of the Snake Keylogger malware, exposing its config, infostealing features, and anti-analysis techniques.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/","twitter_misc":{"Written by":"Lena aka LambdaMamba","Est. reading time":"34 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/"},"author":{"name":"Lena aka LambdaMamba","@id":"https:\/\/any.run\/"},"headline":"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough","datePublished":"2024-03-25T09:38:46+00:00","dateModified":"2024-03-25T09:45:52+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/"},"wordCount":4316,"commentCount":2,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/","url":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/","name":"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-03-25T09:38:46+00:00","dateModified":"2024-03-25T09:45:52+00:00","description":"Discover an in-depth analysis of the Snake Keylogger malware, exposing its config, infostealing features, and anti-analysis techniques.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Lena aka LambdaMamba","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/lena_profile_picture.png","caption":"Lena aka LambdaMamba"},"description":"I am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by snakes, which includes the Snake Malware! Check out: \u2022 My website \u2022 My LinkedIn profile","sameAs":["https:\/\/lambdamamba.com\/"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7372"}],"collection":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7372"}],"version-history":[{"count":8,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7372\/revisions"}],"predecessor-version":[{"id":7461,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7372\/revisions\/7461"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7454"}],"wp:attachment":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7372"},{"taxonomy":"post_tag","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}