FOCUS MODE
EXTRACT IOC
Threat Research

Malware Analysis: Snake Key Logger

iocOne
Malware Analysis: Snake Key Logger
This article discusses a sophisticated malware which establishes persistence on the infected system by creating a scheduled task, exfiltrates data through repeated attempts to connect to a command-and-control server, and employs PowerShell commands to evade detection by antivirus systems. The malware captures screenshots and modifies registry values to cover its tracks, presenting significant risks to both systems and user data. Affected: Windows, Users, Command-and-Control Servers

Keypoints :

  • The malware drops a secondary executable (KZgaxkBH.exe) in the AppDataRoaming directory.
  • It uses PowerShell commands to add exclusion rules for Windows Defender.
  • The malware establishes persistence via a scheduled task.
  • A folder named VIPRecovery is created to store captured screenshots.
  • It tries to connect repeatedly to mail.vinatax.us for data exfiltration.
  • Registry keys are modified and deleted to evade detection and erase forensic artifacts.
  • The malware’s original filename was uaet.exe, disguising itself as a legitimate application.
  • Network analysis indicates it connects to suspicious domains and uses a fake DNS server.

MITRE Techniques :

  • T1071.001 (Application Layer Protocol: Email) – The malware attempts to communicate with its command-and-control (C2) server using email submission ports.
  • T1105 (Remote File Copy) – It drops a secondary executable (KZgaxkBH.exe) in the user’s AppData directory.
  • T1059.001 (Command and Scripting Interpreter: Windows PowerShell) – Uses PowerShell to add exclusion paths for Windows Defender.
  • T1037 (Boot or Logon Autostart Execution) – Creates a scheduled task for persistence upon system startup.
  • T1070.001 (Indicator Removal on Host: File Deletion) – Deletes registry keys related to Internet Explorer cache to hide malicious activities.
  • T1485 (Data Destruction) – Modifies registry values potentially to cover tracks and hide malicious behavior.

Indicator of Compromise :

  • File Name: KZgaxkBH.exe
  • File Name: uaet.exe
  • Domain: mail.vinatax.us
  • IP Address: 112.213.92.57
  • SHA256 Hash: e3d34efa98ab95227b84ed48a65ce73b3875f3c0ceaab5ac821fdecb37392eb9

Full Story: https://medium.com/@cam40303/malware-analysis-snake-key-logger-0e07d15168a9?source=rss——malware-5

Tags: MONITOR, LINUX, BROWSER, DISCOVERY, SOCIAL ENGINEERING, EXFILTRATION, WINDOWS, DNS