Deep Analysis of Snake Keylogger

Snake Keylogger is a malware developed using .NET. It’s focused on stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.

The malware usually is delivered by malicious doc and the malware comes packed , so let’s start unpacking.

Stage1

Let’s first check the resources , it’s always a good place to look .

Their are 2 suspicious resources Rara3 and ResourceFallbackMana , so the malware might use them for next stages of unpacking.

Checking the entry point , there is a constructor called Home

Home constructor has function that initialize its component called IntializeComponent

scrolling to the end of it , a function call nnn is called which call sss which call SponsorState , this function retrieve a resource call Rara3 and loops through its bytes and decrypt it by calling DismatleCode , the decrypted resource is a DLL.

Then the malware invokes MRMWrapperDictionary.memory..cctor() method from the loaded DLL.

Stage 2

The DLL name is MLan and it’s obfuscated , so i decided to go with the flow , until i found the function AnsiChar that decrypt the next stage.

1. Load a resource called ResourceFallbackMana Which is CurrentA value 5265736F7572636546616C6C6261636B4D616E61 but in hex.
2. Decrypt the resource .
3. Invoke targeted method which is UeAupokA536JGhxDyO.sW3Asla2NyvByhVDAa.JSwk4uviT2()

Stage 3

The DLL IVectorView is heavily obfuscated even more than the previous stage and since it’s not our main payload i won’t bother renaming the functions.

I will leave the functions names to make it easy for anyone who is going to try to unpack this sample.

Important Functions executed :

• Get path to the sample.

ahGXTXMe7uAdQ8NrjfG.lk5MbtJFe(uK4AJrYGvvq1w2WkdOi.lk5MbtJFe(uK4AJrYGvvq1w2WkdOi.W1QYvJs3HW), ahGXTXMe7uAdQ8NrjfG.A3vYOBZp64)

• Sleep for 4 seconds .

tSUHMWMAIim5ETkhruf.lk5MbtJFe(tPjaFIYeEJC8ehJovOA.lk5MbtJFe(sW3Asla2NyvByhVDAa.w2n8tHiqWL[35], tPjaFIYeEJC8ehJovOA.gMSY7bPola) * 1000, tSUHMWMAIim5ETkhruf.guWM0HK2GW)

• Get Roaming folder path.

doGHn4M3qsgWjpC57JN.lk5MbtJFe(sW3Asla2NyvByhVDAa.OMepjHU8u0PQqAcfgBt(Environment.SpecialFolder.ApplicationData), MtylF5MN0ZB1XUnlinq.lk5MbtJFe(4212, MtylF5MN0ZB1XUnlinq.cqxM4wlCTi), doGHn4M3qsgWjpC57JN.t77MmT7Umi)

• Append jwoHTfo.exe to the path .

psokcXYESiVIocWutWY.lk5MbtJFe(text3, sW3Asla2NyvByhVDAa.Bis8Nfj2u5, MtylF5MN0ZB1XUnlinq.lk5MbtJFe(4218, MtylF5MN0ZB1XUnlinq.cqxM4wlCTi), psokcXYESiVIocWutWY.PnTYcVPfsh)

• Copy itself to C:UsersUserNameAppDataRoaming .

Lp9PmLMkZmvU1wvfDHu.lk5MbtJFe(text, text2, Lp9PmLMkZmvU1wvfDHu.TMGYWc0mXg)

• Exclude the path of the newly copied sample , write XML to tmp file , create scheduled task for persistence.

Lp9PmLMkZmvU1wvfDHu.lk5MbtJFe(sW3Asla2NyvByhVDAa.Bis8Nfj2u5, text2, Lp9PmLMkZmvU1wvfDHu.AjQYS6EhjD)

• Load DLL at runtime that contains only resource data.

UeAupokA536JGhxDyO.ohMtKo8nMu0hWQpbYo2.XYtPy3Anye()

• Load a resource from the loaded DLL.

UeAupokA536JGhxDyO.MH1pvtk8kqaCIqEAbCh.n0BjAw3y3a()

• Decrypt the resource to get our main payload.

IHeoJKYkPinpHknFH9q.lk5MbtJFe(yAWG7ZYlZIPfRxSYSsw.lk5MbtJFe(sW3Asla2NyvByhVDAa.CTs8UfsbAO, yAWG7ZYlZIPfRxSYSsw.v2CYiSRjI0), sW3Asla2NyvByhVDAa.j3J8Ic57Tf, IHeoJKYkPinpHknFH9q.UC8Yj8UgDU)

• Spawn our main payload using process Hollowing .

UeAupokA536JGhxDyO.sW3Asla2NyvByhVDAa.Fgxk5Jy1sG()

Persistence

The following command is executed that disables Windows Defender scheduled and real-time scanning for files in this folder.
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" Add-MpPreference -ExclusionPath C:UsersUserNameAppDataRoamingjwoHTfo.exe

The following command is executed to create a scheduled task:

"C:WindowsSystem32schtasks.exe" /Create /TN "UpdatesjwoHTfo" /XML "C:UsersUserNameAppDataLocalTemptmp2BD2.tmp"

The tmp file has the following XML :

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">  
    <RegistrationInfo>
    <Date>2014-10-25T14:27:44.8929027</Date>
    <Author>UserName</Author>
    </RegistrationInfo>
    <Triggers> 
        <LogonTrigger> <!-- Represents a trigger that starts a task when a user logs on -->
            <Enabled>true</Enabled>
            <UserId>UserName</UserId>         
        </LogonTrigger>    
       <RegistrationTrigger> <!-- Represents a trigger that starts a task when the task is registered or updated -->     
           <Enabled>false</Enabled>   
       </RegistrationTrigger>  
   </Triggers>
   <Principals>
       <!--Specifies the security contexts that can be used to run the task.-->  
       <Principal id="Author">
<!-- Specifies the security credentials for a principal. These credentials define the security context that a task runs under.-->
           <UserId>UserName</UserId> 
           <LogonType>InteractiveToken</LogonType>
           <!-- User must already be logged on. The task will be run only in an existing interactive session.-->
           <RunLevel>LeastPrivilege</RunLevel> 
       </Principal>  
   </Principals>  
   <Settings>   
       <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
       <!-- Starts a new instance while an existing instance is running. -->
       <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
       <!--Specifies that the task will not be started if the computer is running on battery power.--> 
       <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
       <!--Specifies that the task will be stopped if the computer switches to battery power.-->  
       <AllowHardTerminate>false</AllowHardTerminate>
       <!--Specifies if the Task Scheduler service allows hard termination of the task.--> 
       <StartWhenAvailable>true</StartWhenAvailable>
       <!--Specifies that the Task Scheduler can start the task at any time after its scheduled time has passed.-->    
       <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
       <!--Specifies that the Task Scheduler will run the task only when a network is available.-->  
       <IdleSettings> 
           <!--Specifies how the Task Scheduler performs tasks when the computer is in an idle state.--> 
           <StopOnIdleEnd>true</StopOnIdleEnd>      
           <RestartOnIdle>false</RestartOnIdle>   
       </IdleSettings>    
       <AllowStartOnDemand>true</AllowStartOnDemand>
       <!--Specifies that the task can be started by using either the Run command or the Context menu.-->  
       <Enabled>true</Enabled>  
       <!--Specifies that the task is enabled. The task can be performed only when this setting is True. --> 
       <Hidden>false</Hidden>
       <!--Specifies, by default, that the task will not be visible in the user interface (UI).-->
       <RunOnlyIfIdle>false</RunOnlyIfIdle>
       <!--Specifies that the task is run only when the computer is in an idle state.-->    
       <WakeToRun>false</WakeToRun>
       <!--Specifies that Task Scheduler will wake the computer before it runs the task.-->    
       <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
       <!-- 20 Days --> <!--Specifies the amount of time allowed to complete the task.-->
       <Priority>7</Priority> 
       <!-- BELOW_NORMAL_PRIORITY_CLASS	THREAD_PRIORITY_BELOW_NORMAL-->
    </Settings> 
    <Actions Context="Author"><!-- Execute the packed sample -->
        <Exec>     
            <Command>
                C:UsersUserNameAppDataRoamingjwoHTfo.exe
            </Command>    
        </Exec> 
    </Actions>
</Task>

Load DLL at runtime

For the last stage of unpacking the malware uses a local callback function XYtPy3Anye that is registered to AppDomain.CurrentDomain.ResourceResolve, which is then called when it fails to load a resource by name.

The malware reads a resource named 6XrMbvA from the current module, which has no such named resource in the resource directory. A resource loading failure occurs and the registered local function is called XYtPy3Anye to solve this error.

Another DLL file appears in memory , decrypted from resource wgESy1fvJpAjtLonUv.mtQ6crCqKVauvIWPi5 and then decompress. It contains a resource with the name 6XrMbvA, which is the original requested resource name.

The payload of Snake Keylogger is encrypted in 6XrMbvA resource .

The resource is decrypted in UeAupokA536JGhxDyO.MH1pvtk8kqaCIqEAbCh.O9RjtGPl7D() method.

IHeoJKYkPinpHknFH9q.lk5MbtJFe(yAWG7ZYlZIPfRxSYSsw.lk5MbtJFe(sW3Asla2NyvByhVDAa.CTs8UfsbAO, yAWG7ZYlZIPfRxSYSsw.v2CYiSRjI0), sW3Asla2NyvByhVDAa.j3J8Ic57Tf, IHeoJKYkPinpHknFH9q.UC8Yj8UgDU) all that happens under this method .

Process Hollowing

The program then creates a suspended child process and inject Snake Keylogger payload into the child process. It then resumes the child process to run. Then the parent process exits

All process hollowing functionality are under UeAupokA536JGhxDyO.sW3Asla2NyvByhVDAa.Fgxk5Jy1sG() method.

• Create new process

  sW3Asla2NyvByhVDAa.t9k84Eca13(u0020, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 134217732U, IntPtr.Zero, null, ref q7wjRryksphgmH13gM, ref whaCmriILF5883Bt0r))

  it calls API CreateProcess() to create the child process with Creation Flag 134217732U (0x8000004), which means CREATE_NO_WINDOW and CREATE_SUSPENDED.

  

  

• Write process memory

  BBDYpjYA3gIOGArn7ck.lk5MbtJFe()

  

• SetThreadContext

  sW3Asla2NyvByhVDAa.j898gCWDUT(whaCmriILF5883Bt0r.Rs9GptxmvX, array2)

• Resume thread

  sW3Asla2NyvByhVDAa.RHI4KHUA4X2R7NW2kBr(sW3Asla2NyvByhVDAa.UTP8ZguGC0, whaCmriILF5883Bt0r.Rs9GptxmvX)

Snake Keylogger is obfuscated . let’s Use de4dot to make it more readable.

After reversing and renaming .

The malware start initializing variables some of them are not used , the interesting part that the malware set a timer for some functions to execute every 0.1 second.

These are the functions that executes periodically:

1. Sending keylogs .
2. Sending screenshot .
3. Sending clipboard .
4. Sending stolen data encrypted .
5. Sending stolen data as plaintext .

KeyLogging

It calls API SetWindowsHookExA() to register a hook callback function this.ProcessKey() to monitor low-level keyboard input events. The first parameter is the hook type, where 13 indicates WH_KEYBOARD_LL .

It also records the foreground window title to identify where the victim types by calling the APIs GetForegroundWindow() and GetWindowText().

The malware installs its own handler for keypress events on the keyboard. Logging is done as follows:

Screenshot

When a screenshot is taken, it is saved to My DocumentsSnakeKeylogger folder with the name Screenshot.png. Then try to send the file. Any result of the upload will delete the file.

It has a Timer which captures the victim’s screenshots from time to time by calling API CopyFromScreen().

System Clipboard

It has two Timers. One timer to collect system clipboard data by calling Clipboard.GetText() and save to a global variable. The other timer is used to send clipboards data to the attacker.

Steal Credentials

Before stealing credentials , there are alot of methods that have empty body , it’ disabled features in this sample , i tried to get a sample that have those functions enabled but had no luck .

These functions are anti-VM and persistence method , anti-emulation, Snake adds itself to autorun by changing the registry key:
HKCUsoftwaremicrosoftwindowscurrentversionrun , Snake kill certain processes and check for the presence of some of the virtual machines files , search for processes specific to virtual machines . it although removes cookies from Chrome and Firefox browsers, as well as data from the general cookie repository in the system ,so that the user has to re-login to accounts in this case, the data will be intercepted using a keylogger .

How did i know that ? , while searching for samples to test my config extractor , i found a sample that have those functions named but still empty body, lucky me .

I dont know why all that was disabled ! It would be nice to see those.

Back to what we have in our sample .

Snake kill chrome and firefox process if it’s running.

Snake steals credentials from FTP clients, Email clients, Messengers , Browsers by static paths. It has four different methods to steal data from different types of browses, like Gecko-based browsers, Opera, Internet Explorer and Chromium-based browsers.

Stealing Mechanism

1. Access the file that contains Credentials
2. Parse the Credentials using SQL , have a whole class to handle SQL.
3. Decrypt Passwords.
4. Append to the global variable.

More details about stealing mechanism in my report about Mars stealer , it’s pretty much the same.

Snake tries to load moazglue.dll and nss3.dll by checking if certain browsers is installed and try to load the DLLs from one of these paths.

C2 Communication

If isProtected is initialized with ProtectTrue then all data will be encrypted before sending it.

Depending on the selected option in the configuration file, there are three options for interacting with the C2:

FTP

When transferring via FTP protocol, a file with the name:ComputerName - Passwords ID - BotID FilExtension is created on the FTP host.

The content of the file is PW UserName Snake VictimInfo Passwords_Logs .

The Bot ID is formed as follows: the first part is set in the configuration file, and the second part is a randomly generated 4-byte number.

SMTP

A message of the following format will be generated:

Subject: Pc Name: Username Snake Keylogger

Email body: PW Username Snake

Attachment:

VictimInfo contains PC name , date and time , client IP , country name

All data is sent as an attachment. It might be encrypted with DES or be plaintext .

Telegram

The data is transferred as an attached file.
Log file attachments have the following format:

PW UserName Snake VictimInfo Passwords_Logs

Same mechanism for sending:

1. Keylogs:

   Content format : KP UserName Snake VictimInfo KeyStrokes

2. clipboard :

   Content format : Clipboard UserName Snake VictimInfo GrabbedClipboard

3. Screenshot:

   Content format : Screenshot UserName Snake VictimInfo ImageBytes

import sys, struct, clr
import os
import  validators
sys.path.append(os.path.dirname(__file__))
clr.AddReference("System.Memory")
from System.Reflection import Assembly, MethodInfo, BindingFlags
from System import Type
DNLIB_PATH = r""
clr.AddReference("dnlib")
import dnlib    
from dnlib.DotNet import *
from dnlib.DotNet.Emit import OpCodes

SAMPLE_PATH = r''
module = dnlib.DotNet.ModuleDefMD.Load(SAMPLE_PATH)
eFlags = BindingFlags.Static | BindingFlags.Public | BindingFlags.NonPublic
Hardcoded_String = []

def get_Hardcoded_String():
    for mtype in module.GetTypes():
        if not mtype.HasMethods:
            continue
        for method in mtype.Methods:
            if not method.HasBody: 
                continue
            if not method.Body.HasInstructions: 
                continue
            
            for ptr in range(len(method.Body.Instructions)):
                try:
                    if method.Body.Instructions[ptr].OpCode == OpCodes.Ldstr :
                        Hardcoded_String.append(method.Body.Instructions[ptr].ToString()[14:].replace('"',"").replace(" ","").strip())
                except :
                    continue
         
   
get_Hardcoded_String() 


if "CountryName:" in Hardcoded_String:

    config_offset = Hardcoded_String.index("CountryName:")  
    
    for i in range(5):
        SMTP_Host = ""
        SMTP_Port = ""
        SMTP_Email = ""
        Tel_BOT = ""
        FTP_Host = ""

        if len(Hardcoded_String[config_offset + i + 9]) > 22 and Hardcoded_String[config_offset + i + 10].isdigit():
            Tel_chaTID = Hardcoded_String[config_offset+ i + 10]
            Tel_BOT = Hardcoded_String[config_offset + i + 9]
            
        if ( validators.ipv4(Hardcoded_String[config_offset + i + 3]) or validators.domain(Hardcoded_String[config_offset + i + 3]) ) and  Hardcoded_String[config_offset + i + 5].isdigit() and validators.email(Hardcoded_String[config_offset + i + 4]):
                SMTP_Host = Hardcoded_String[config_offset + i + 3]
                SMTP_Port = Hardcoded_String[config_offset + i + 5]
                SMTP_Username = Hardcoded_String[config_offset + i + 1]
                SMTP_Password = Hardcoded_String[config_offset + i + 2]
                SMTP_Email = Hardcoded_String[config_offset + i + 4]
                
        
        if "ftp" in Hardcoded_String[config_offset + i + 8] :
            FTP_Host = Hardcoded_String[config_offset + i + 8]
            FTP_Username = Hardcoded_String[config_offset + i  + 6]
            FTP_Password = Hardcoded_String[config_offset + i  + 7]
        
        if SMTP_Host != "" and SMTP_Port != "" and SMTP_Email!= "":
            print("SMTP Host = ",SMTP_Host)
            print("SMTP Port = ",SMTP_Port)
            print("SMTP Username = ", SMTP_Username)
            print("SMTP Password = ",SMTP_Password)
            print("SMTP Email To = ",SMTP_Email)
            
        if Tel_BOT  != "":
            Tel_C2 = "https://api.telegram.org/bot" +Tel_BOT+"/sendMessage?chat_id="+Tel_chaTID
            print("Telegram C2 = ",Tel_C2.strip())

        if FTP_Host != "":
            print("FTP Host = ",FTP_Host)
            print("FTP Port = ",21)
            print("FTP Username = ",FTP_Username)
            print("FTP Password = ",FTP_Password)

1. 2022_Exportlist.pdf.exe aka TRACEPROVIDERINSTANCEI.exe aka jwoHTfo.exe

   MD5 : 96fe87fda1c50480609164fdfa7c56e1

   SHA-1 : 548e2ae1da37cf3c58b1dc24b9020be915892412

   SHA-256 : 605929594981dafbab968728e7a47ca70c6175e2b0c2394b1f6793145b338175

   Imphash : f34d5f2d4577ed6d9ceec516c1f5a744

   SSDEEP : 12288:xo9C8+jXbW9qT9q0VOf/1hCCy51Y325l4+2HyIQfEzT2Ovn8UT/e6R+Ha3VG/VRC:xolCXKOnk9/O1Yel4HH1U+qrce6R+6l7

2. MLang.dll aka lolno.dll

   MD5 : ab47b292d4d39311539a0b97e6661f4f

   SHA-1 : 54cd9efbebe4f41b23e6f24fffac0da8f72d921b

   SHA-256 : fe78017f2153de0c5ca645c4255899ab044502fe5c77d5c04ced635d9fe981d9

   Imphash : dae02f32a21e03ce65412f6e56942daa

   SSDEEP : 768:JacFZ4/H/ve5rv+jfs1j/3Lo1wndAYObbtDgbg6A0V5Xr1Kt9b:BCDI3LosObbtko8bAt9b

3. IVectorView.dll

   MD5 : 1f0d10c221bfe2cf55c71a36f960a94f

   SHA-1 : ccbce039ccd22c9adf2a3761dcd5dc2e1cfd9579

   SHA-256 : c555c0c042e85369b0aec6961a04cb5f33689f9a2d84bbb436793d8eabf9a641

   Imphash : dae02f32a21e03ce65412f6e56942daa

   SSDEEP : 12288:u4PeegK8DnyyBlfnCwWVazsNNw9vn0SNRiMcdxNF:59UlvJQosgfZbcdxNF

4. 96e46e73-3d6c-4438-a642-6355f4e5a32b.dll

   MD5 : 9685ca6802fcec12497c9de13e0828f7

   SHA-1 : 07ff707126fe5ef9d81d930d1184c8acbca84447

   SHA-256 : 900664051b305fa30b48392b7c3956c172d3b1b4248b0b1ba30a850010d4aeed

   Imphash : dae02f32a21e03ce65412f6e56942daa

   SSDEEP : 3072:BCfNUMO2WfOHSV897gRPLh5dHwRD+Y4eHxz8KHoCaN/ELEv5:6UqMuSVmi5mx3xz8pn/

5. YFGGCVyufgtwfyuTGFWTVFAUYVF.exe

   MD5 : a90c091abded4a4f763de7537f569167

   SHA-1 : 9394b05c2d518ee5d75fb030f2dca6d15c44bf0a

   SHA-256 : 653b29296dcc50bfb59898d3ba38748b1c484701079ccc85f45bd2c0e4ecbe3e

   Imphash: f34d5f2d4577ed6d9ceec516c1f5a744

   SSDEEP : 3072:gFlAi/smc7Rkw3HTCnnnnnnnnnnnnnnnnnn9b8GOswBn7FbY8:crkIb4hbN

rule SnakeKeylogger :SnakeKeylogger {

    meta:
        author = "X__Junior"
        description = "Detects Snake Keylogger"


    strings:
        
        $s1 = "_KPPlogS" fullword ascii
        $s2 = "_Scrlogtimerrr" fullword ascii
        $s3 = "_Clpreptimerr" fullword ascii
        $s4 = "_clprEPs" fullword ascii
        $s5 = "_kLLTIm" fullword ascii
        $s6 = "_TPSSends" fullword ascii
        $s7 = "_ProHfutimer" fullword ascii
        $s8 = "GrabbedClp" fullword ascii
        $s9 = "StartKeylogger" fullword ascii
	$s10 = "KPPlogS" fullword ascii
        $s11 = "Scrlogtimerrr" fullword ascii
        $s12 = "Clpreptimerr" fullword ascii
        $s13 = "clprEPs" fullword ascii
        $s14 = "kLLTIm" fullword ascii
        $s15 = "TPSSends" fullword ascii
	$s16 = "ProHfutimer" fullword ascii

        $x1 = "$%SMTPDV$" wide
        $x2 = "$#TheHashHere%&" wide
        $x3 = "%FTPDV$" wide
        $x4 = "$%TelegramDv$" wide
		
        $m1 = "| Snake Keylogger" ascii wide
        $m2 = "SnakePW" ascii wide
        $m3 = "SnakeKeylogger" ascii wide
	$m4 = "Snake" ascii wide
		
    condition:
        (uint16(0) == 0x5a4d and (6 of ($s*)  or 4 of ($x*) or 3 of ($m*)))
}

Source: https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html#introduction