Analytics Story: Snake Keylogger

Date: 2024-02-12 ID: 0374f962-c66a-4a67-9a30-24b0708ef802 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.

Why it matters

SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows Non Discord App Access Discord LevelDB Query Registry Anomaly
Windows Phishing PDF File Executes URL Link Spearphishing Attachment, Phishing Anomaly
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows Time Based Evasion via Choice Exec Time Based Evasion, Virtualization/Sandbox Evasion Anomaly
Windows Unsecured Outlook Credentials Access In Registry Unsecured Credentials Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File, User Execution TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1