{
	"id": "91da3285-49de-4a18-a410-951a87a4ccb9",
	"created_at": "2026-04-06T00:10:21.257933Z",
	"updated_at": "2026-04-10T03:20:28.55933Z",
	"deleted_at": null,
	"sha1_hash": "1e792921510f5643caa200f64bc68a97655304e9",
	"title": "Snojan Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1333899,
	"plain_text": "Snojan Analysis\r\nBy Jacob Pimental\r\nPublished: 2019-05-11 · Archived: 2026-04-05 15:30:14 UTC\r\nSo this is my analysis on the snojan malware. My goal for my articles is to write about different malware samples\r\nthat I collect in my honeypot. I hate finding a sample and looking up analyses on it only to find that nobody has\r\ntaken the time to really look at it, so this is my remedy for that.\r\nI collected this sample from my Dionaea Honeypot server. If you don’t know what Dionaea Honeypot is, it is\r\nessentially a server that mimics vulnerable processes and applications in hopes of catching malware. It mainly\r\ncatches internet worms that target random IP addresses, recently it has gotten a lot of Wannacry ransomware\r\nsamples.\r\nThe first thing I do when analyzing a new malware sample is give it to VirusTotal in order to see what it may be\r\nand some basic information on it. Some of the vendors marked it as “snojan” so that’s the name I refer to it as.\r\nVirusTotal also tells us that the creation time was May 5th 2017, but that could easily be spoofed. If it is true, then\r\nthis is not the newest malware out there, but still interesting nonetheless.\r\nThe next thing I do is use rabin2, which comes with radare2, to see what type of file this is. If you don’t know\r\nwhat radare2 or rabin2 are you can read my other articles where I explain what they are and how to use them.\r\n$ rabin2 -I 867e7c4917795399040f367575550ae4\r\narch x86\r\nbinsz 13315\r\nbintype pe\r\nbits 32\r\ncanary false\r\nclass PE32\r\ncmp.csum 0x00006b4d\r\ncompiled Fri May 5 07:02:08 2017\r\ncrypto false\r\nendian little\r\nhavecode true\r\nhdr.csum 0x0000b009\r\nlinenum true\r\nlsyms true\r\nmachine i386\r\nmaxopsz 16\r\nminopsz 1\r\nnx false\r\nos windows\r\noverlay true\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 1 of 8\n\npcalign 0\r\npic false\r\nrelocs false\r\nsigned false\r\nstatic false\r\nstripped false\r\nsubsys Windows CUI\r\nva true\r\n$\r\nFrom this we can see that this is a Windows Portable Executable (PE) file that is 32 bits (PE32) and uses a\r\nCommand Line Interface (CUI) rather than a graphical interface (GUI). If we run the file command in linux then\r\nwe can see more specifically what type of file this is.\r\n$ file 867e7c4917795399040f367575550ae4\r\n867e7c4917795399040f367575550ae4: PE32 executable (DLL) (console) Intel 80386 (stripped to external P\r\n$\r\nWe can see that this is a Windows DLL file. This means it must have some exports that it wants us to run it with.\r\nRabin2 can help us identify these exports.\r\n$ rabin2 -E 867e7c4917795399040f367575550ae4\r\n[Exports]\r\nvaddr=0x6d981760 paddr=0x00000b60 ord=000 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=aaa.dll_DllMain@12\r\n$\r\nSo this dll exports the function DllMain@12. We can assume that the dll is probably called using the windows\r\nrundll command and uses this function as a parameter. We can also assume that the name of the file is aaa.dll\r\nrather than the md5sum 867e7c4917795399040f367575550ae4.\r\nGet Jacob Pimental’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nNow that we have some basic information about the file, we can pop it into Radare2 and see what the assembly\r\ncode looks like. I like to use the “afll” command after having radare2 analyze the binary because that shows all of\r\nthe functions in a colored graph. We can see an interesting function at 0x6d981760.\r\nPress enter or click to view image in full size\r\nThis is the same function as the export we saw earlier. We should probably investigate what it is doing.\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 2 of 8\n\nSo it looks like it compares an argument to the number 1, if the statement is false then we return and most likely\r\nexit the program. If the statement is true, however, then we call the CreateThread function with fcn.6d981710 as a\r\nparameter. This would create a thread that would run whatever fcn.6d981710 does. It then calls that mystery\r\nfunction and exits. The next step would be to check out that mystery function and see what it does.\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 3 of 8\n\nThis function calls the WSAStartup function which starts the processes necessary to use the Socket library for\r\nWindows. This tells us that the dll must be connecting to some server via an open port. If WSAStartup fails, it\r\npushes the message “WSAStartup failed: %d\\n” along with the return value of WSAStartup to the stack and calls\r\nthe function fcn.6d982600. If we evaluate this function we can see that it is a pointer to printf. Sometimes radare2\r\nand other disassemblers can’t identify basic functions like printf. It is standard and is not really important right\r\nnow. If we wanted to change the name of the function, we would just seek to the address and use the command\r\nafn printf\r\nIf the process succeeds then it calls the function fcn.6d9814c0.\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 4 of 8\n\nWe can see that this function creates a socket. If it succeeded in the creation of the socket then it gives it the ip\r\naddress 62.210.204.58 and the port 443 and connects. If not then an error is outputted via printf again and the\r\nprogram exits. We would be able to use this ip address and port as a network-based identifier to detect this\r\nmalware.\r\nPress enter or click to view image in full size\r\nIf our socket is able to connect to the server then it will create a new file called 3165616.exe on the C: drive of the\r\ninfected computer, which could be used as a host-based identifier of this malware. If it fails to connect then we get\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 5 of 8\n\nanother error. After this the program loops through the data sent back to it by the server and puts that into the\r\nexecutable file that was created. It then goes ahead and runs that executable.\r\nMinigraph illustrating the loop that populates the executable file with data\r\nMinigraph illustrating the call to WinExec on the created executable\r\nWe can assume that this dll is just a dropper for the real trojan that will be installed on the system. At the time of\r\nmy initial analysis I was able to retrieve the dropped executable from the server with a curl command, as of the\r\ndate of writing it seems the malware author has changed servers or shut it down altogether. I was able to run the\r\nprogram in a windows environment before the server went down to analyze the events.\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 6 of 8\n\nFirst you can see the packet that was returned from the server at 62.210.204.58, which confirms our suspicion that\r\nit dropped a windows binary. For those unfamiliar with Magic in binaries, the first MZ that is highlighted in the\r\npacket capture means that this is a Windows Binary. We can further confirm this by the string “This program\r\ncannot be run in DOS mode” which is common in Windows applications. We can also see PE which means\r\n“Portable Executable”.\r\nAfter this executable is downloaded and ran it reaches out to 3click.click/install/start which gave the executable\r\ncommands. It created wininit.exe, which was located in the folder C:\\WINDOWS\\Fonts (which I found\r\ninteresting). The process would retrieve data from the site icanhazip.com in order to get my public ip address, it\r\nwould then report this to the malware author.\r\nPacket Capture showing the conversation between icanhazip.com and my computer\r\nIt would also close out of process explorer if it found it open. On top of that it would connect to the\r\n3click.click/report.lua file which was a reporting system for the malware to communicate with the author about\r\nmy computer. I didn’t take too much time analyzing the dropped binary. It is a basic trojan that makes it very\r\nobvious that it is in the system by closing out of applications and displaying command prompts as it goes.\r\nOverall, this is a very basic dropper and the first “real” malware sample that I have analyzed so if I missed\r\nanything or there was a better way to go about analyzing then please feel free to reach out to me at my Twitter or\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 7 of 8\n\nmy LinkedIn.\r\nHere is also the Hybrid-Analysis of this file. It gives a lot of info as well. Although for this article I ran the\r\nmalware myself on a Windows XP VM.\r\nIf you like this article you can view more on my updated blog at https://goggleheadedhacker.com/1\r\nThanks for reading and happy reversing!\r\nSource: https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nhttps://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9"
	],
	"report_names": [
		"snojan-analysis-bb3982fb1bb9"
	],
	"threat_actors": [],
	"ts_created_at": 1775434221,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e792921510f5643caa200f64bc68a97655304e9.pdf",
		"text": "https://archive.orkl.eu/1e792921510f5643caa200f64bc68a97655304e9.txt",
		"img": "https://archive.orkl.eu/1e792921510f5643caa200f64bc68a97655304e9.jpg"
	}
}