Jai Minton

Jai Minton

Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone. Content is licensed under the Creative Commons Attribution 4.0 International License.

Snake Keylogger - Malware Analysis Lab

7 minute read

Technical Analysis of Snake Keylogger

Overview (AI generated from video):

Summary

The Snake Keylogger, discovered in November 2020, is a prevalent malware variant. This analysis explores its obfuscation techniques and payload, revealing its information stealing capabilities.

Timestamps

0:13 🕑 Snake Keylogger discovered in November 2020
0:31 🕑 Obfuscation techniques observed in the malware
1:08 🕑 Decompiling reveals encryption and byte arrays
2:40 🕑 Final payload detects and steals browser credentials
3:50 🕑 Exfiltration to Dynamic DNS and potential Telegram channel

Key Insights

1️⃣ The Snake Keylogger was first discovered in the wild in November 2020, making it a relatively new malware variant.
2️⃣ Obfuscation techniques were used in the malware to make analysis and detection more challenging.
3️⃣ Decompiling the malware revealed encryption methods and byte arrays, indicating the use of cryptography to hide malicious activities.
4️⃣ The final payload of the Snake Keylogger focused on stealing browser credentials, particularly from Mozilla Firefox.
5️⃣ Exfiltration of stolen information was observed to Dynamic DNS services, potentially indicating a command and control infrastructure.
6️⃣ The malware may also have the capability to send data directly to a Telegram channel, highlighting its potential as a malware-as-a-service.
7️⃣ The presence of a keylogger component in the malware suggests the intention to capture and monitor user keystrokes for further exploitation.

Transcript (AI generated from video):

00:00:00	according to checkpoint researchers snake key logger was first discovered in the wild in November of 2020 and in October of 2022 was the second most common Mau variant in operation behind agent Tesla today I'm going to look into a snake KY loger sample because I've never looked into one before we are back on maare bizaar we have to confirm we're not a robot oh we've already done Red Line let's let's go with snake Koger use that seven zip fire up maybe some PE Studio as well bang all.net so we can decompile this have a
00:00:40	little bit of fun let's open up DN spy Okay so we've got null it and what we can see straight away Assembly Product name of vanish might be a little bit interesting manifestor says my application. app look sometimes that get set by developers sometimes it doesn't it's like there might be a fair amount of obfuscation in there oh yeah we've got a compiler time stamp of 2071 so it's probably been time stomped we can just probably double check that the time date stamp it's in HEX so bf8 Fe fe6 and that looks to be what we just
00:01:20	found using cff Explorer as well so it has been time stomped so we do have this net.exe let's see whether there's an entry point we can jump to so going to the entry point we can see that it is firing off this listen at all it's creating an instance of this particular type and it's using this particular data this bite array see what this decompiling does okay so it's joining a bunch of different B arrays and then it is returning that and it's crypting It O Okay so there might be some encryption
00:01:52	for this particular snake see that it's using a few Transformers here that are of Interest we'll create a break point here so we'll move into this when it defines this B array so that we can figure out what that essentially comes out as add a break point here it's running and we've hit a break point so we might want to step into this so now we've actually got a little bit more appearing down in our registers here we can see the different bite arrays that we are working with and I don't want to go into the ins and outs of these so I
00:02:32	kind of want to step over some of these functions because by stepping over that we should now have the B array decrypted here so let's see if we just save this just go code move on over to downloads we've got a new net binary and look at this straight away we've now got some more stuff that was essentially trying to be invoked into memory say this information has been stolen from a legitimate extension of some kind we can't exactly go go to the entry point because it is a dll but we'll just go for a little bit of a browse a lot of
00:03:06	this looks like legitimate code so when we see yeah that doesn't look right like this it's going to be a lot more obvious so these are these are doing nothing these classes are literally nothing and then you've finally got this and we're coming back to loading and invoking again so we've got some more code that's going to be loaded here you can see it's going to take in the RO assem we might add a break point here we'll look at adding a break point here as well we wind up having the actual array here of
00:03:39	the code that we were talking about example. DL so you can see it is the the name that we had before so us continuing should have no impact we should be able to continue the code I'm going to break this myself like we're now we're now where we wanted it to hit anyway so let's step into and yeah now we've got this return statement uh step into see where we're at make sure that it gets this information first so step over that step over that now we are returning it step into that step into that 15 minutes
00:04:16	later step into step into again one eternity later yeah so it's this assembly here lot of wasted time so we have our new class here it took a little bit but we do have it this is now third stage that we have so we go file save module two we didn't know that before you got methods get processes this might actually start to be the snake key logger we can continue going with f11 and see where we land you've got ENT unma view of section and read process memories all kind of interesting stuff it may be throwing
00:04:57	something else into memory we may be on to a winner here oh heavily obfuscated stuff here so that's a little bit interesting got data got this B array yep that looks like it let's save this to code 3 so code 3 is a lot bigger 131 it's net again uh getting stuff from the resource section but now we actually see things that look like what it's doing right so this might actually be the final payload from extracting all that information because we've got this looking for Mozilla Firefox yeah so this MOS glue.
00:05:36	DL and NSS 3.dll uh key dll is used for storing credentials for the Firefox browser and so if you see them come up there's a good chance that something here is doing some sort of credential harvesting so there's a good chance that this is our this is our final payload essentially opening up running a de4 dot on it yep cool and now it's cleaned it and check out what code three cleaned is doing and it might just be a little bit nicer may not be perfect but you can see that it's currently a lot nicer to look at ah look
00:06:18	at this straight away we get a lot more information snake tracker the snake stealer yeah looks like it might that might be the name of it and basically we can run through this entire process now because this is the final payload from all that obfuscation but yeah rolling through it you can see it's just trying to steal all this information username password what I'm interested in is seeing where it all gets sent because it's malware as a service it's going to have some sort of configuration in it to essentially
00:06:50	determine where it goes I've never actually reversed this maware before so what else we got digital product ID trying to take that string reverse so username value okay Co obfuscation bro hey if it works it works dealing wireless land information and passwords purple accounts still stealing stuff B [Music] Zilla sneak trer blah blah blah got all them run and then we've got here we go here's what we need all right so you've got this Dynamic DNS I guess you got duck DNS and DNS Army so Dynamic DNS
00:07:38	this is where it will be exfiltrated to and it's going to get your processes could actually be that this is getting pumped directly to a telegram Channel as well and there is this b64 encoded string and here's your key logger as well identify key pushes so yeah that's a look into the uh the snake information steer I guess did you find this analysis useful did I go over too much too quickly did I just skip over things kind of do it too abrupt let me know let me know your thoughts in the comment section below

You may also enjoy

ClearFake - Malware Analysis Lab

26 minute read

Analysis of ClearFake malware which is planted on compromised WordPress websites to convince unsuspecting visitors to download and run malware.

LummaC2 - Malware Analysis Lab

30 minute read

Analysis of a RAR file which leads to the discovery of malicious Github repositories designed to distribute malware.