Try in Splunk Security Cloud
Description
SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2024-02-12
- Author: Teoderick Contreras, Splunk
- ID: 0374f962-c66a-4a67-9a30-24b0708ef802
Narrative
SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.
Detections
Name |
Technique |
Type |
Detect Regasm Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Download Files Using Telegram |
Ingress Tool Transfer |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
High Process Termination Frequency |
Data Encrypted for Impact |
Anomaly |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Processes launching netsh |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Suspicious Driver Loaded Path |
Windows Service, Create or Modify System Process |
TTP |
Suspicious Process DNS Query Known Abuse Web Services |
Visual Basic, Command and Scripting Interpreter |
TTP |
Suspicious Process Executed From Container File |
Malicious File, Masquerade File Type |
TTP |
Windows Credential Access From Browser Password Store |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome LocalState Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome Login Data Access |
Query Registry |
Anomaly |
Windows File Transfer Protocol In Non-Common Process Path |
Mail Protocols, Application Layer Protocol |
Anomaly |
Windows Gather Victim Network Info Through Ip Check Web Services |
IP Addresses, Gather Victim Network Information |
Hunting |
Windows Non Discord App Access Discord LevelDB |
Query Registry |
Anomaly |
Windows Phishing PDF File Executes URL Link |
Spearphishing Attachment, Phishing |
Anomaly |
Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
Windows Time Based Evasion via Choice Exec |
Time Based Evasion, Virtualization/Sandbox Evasion |
Anomaly |
Windows Unsecured Outlook Credentials Access In Registry |
Unsecured Credentials |
Anomaly |
Windows User Execution Malicious URL Shortcut File |
Malicious File, User Execution |
TTP |
Reference
source | version: 1