{
	"id": "24016f21-f8de-4f67-9eb7-5fd481203f59",
	"created_at": "2026-04-06T00:13:22.318677Z",
	"updated_at": "2026-04-10T13:11:55.068997Z",
	"deleted_at": null,
	"sha1_hash": "6337e1a65c67e843b28b017cc48c9106c0bf967c",
	"title": "Snake Ransomware Analysis Updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48720,
	"plain_text": "Snake Ransomware Analysis Updates\r\nBy Kyle O'Meara March 23, 2020\r\nPublished: 2020-03-23 · Archived: 2026-04-05 16:17:29 UTC\r\nIn January 2020, Sentinel Labs published two reports on Snake (also known as Ekans) ransomware.[1][2] The Snake\r\nransomware gained attention due to its ability to terminate specific industrial control system (ICS) processes. After reading\r\nthe reports, I wanted to expand the corpus of knowledge and provide OT and IT network defenders with increased defense\r\ncapabilities against Snake. The key takeaways from the Sentinel Labs' reports for additional analysis were the hash of the\r\nransomware and the string decoder script from sysopfb.[3] Two questions I pursued were:\r\nCan I find more samples of the Snake ransomware?\r\nIf yes, do these samples use the same string decoding process?\r\nDiscovering More Samples\r\nBy analyzing the code and applying a combination of using IDA, Pharos tools fn2hash and fn2yara, BigGrep, and the\r\nCERT/CC Malware Analysis and Storage System (MASS) repository, I was able to find one sample with a 100% function\r\noverlap with that of the known Snake ransomware sample.[4] The hashes of these samples are shown in Table 1 in the\r\nAppendix. In reviewing my BigGrep search parameter, I realized I had potentially limited my search results. I expanded my\r\nsearch parameter and found two more candidate samples which are shown in Table 2 in the Appendix.\r\nDecoding the Strings\r\nThe string decoder, further referred to as the config dumper, decoded the same strings from the new Snake ransomware\r\nsample that were also found in the original Snake ransomware sample.[1] See the sysopfb link in the references section for\r\ncomplete decoded string list.[3] Unfortunately, the config dumper did not return any results for the two new candidate\r\nsamples.\r\nAgain, using IDA and Pharos tools fn2hash and fn2yara, I wanted to see how much code overlap there was with these four\r\nfiles from Table 1 and Table 2 in the Appendix. The two new candidate samples shared a 100% function overlap. When\r\ncomparing these two files to the Snake ransomware samples, there was only a 50% function overlap. With a significant\r\nfunction overlap between all of the four files, why didn't the config dumper work on the two new candidate samples?\r\nLooking at the code further, I identified a 1-byte difference in the string decoding function in the new candidate samples\r\nversus the known Snake ransomware samples. I edited the config dumper and ran it on the new candidate samples. The\r\nmodified config dumper was successful in decoding strings from the new candidate samples as shown in Table 3 in the\r\nAppendix.\r\nThe newly returned strings from the new candidate samples were different than those that were found in the known Snake\r\nransomware samples. However, using the new config dumper, I successfully decoded new strings from the known Snake\r\nransomware samples. These strings all appear to be host intrusion prevention system (HIPS) process and service names, as\r\nshown in Table 4 in the Appendix.\r\nSummary of Findings\r\nThrough my additional analysis process, I discovered another Snake ransomware sample as well as new candidate samples.\r\nHowever, dynamic analysis demonstrated that these new candidate samples did not act like ransomware. Upon execution,\r\nthe new candidates tried to establish a connection to IP address 18.222.249[.]59 on port 7777. Without allowing the\r\ncandidate sample to establish a connection, I saw no further action from the candidate samples. The assumption is that the\r\nSnake ransomware and the new candidate samples are potentially created by a similar actor, given the large code overlap as\r\nwell as the nearly identical string decoding routine.\r\nhttps://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html\r\nPage 1 of 5\n\nI created a YARA rule to identify samples that contain a similar string decoding function, as shown in Table 5 in the\r\nAppendix.\r\nI also developed an updated config dumper which decodes the new set of strings. This config dumper is available upon\r\nrequest.\r\nIn another report, Dragos highlights that the Snake ransomware terminate process list is similar to the list found in the\r\nMegaCoretx ransomware.[5] My analysis uncovered an additional 252 decoded strings related to HIPS processes that the\r\nSnake ransomware attempts to terminate. These 252 processes are found in the 1104 processes list in the Accenture Security\r\nMegaCortex ransomware report.[6] However, after completing similar analyses, as mentioned above, as well as testing\r\nknown YARA rules, I found that the Snake and MegaCortex ransomwares shared no code overlap. I believe it is a matter of\r\ncoincidence that there is an overlap in this process list. The possible reasons for this coincidence could include that the\r\nSnake ransomware took information from the Accenture report on MegaCortex or used the published curated open source\r\nHIPS process list.[7]\r\nConclusion\r\nI have provided more samples, a YARA rule, new config dumper, and new decoded data (see the tables in the Appendix).\r\nThis information, in addition to previous industry analyses, will allow for network defenders in the OT and IT space to\r\nincrease their defense capabilities against the Snake ransomware.\r\nAppendix\r\nTable 1: Snake Ransomware Hashes\r\ne5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60\r\na5a7e6ddf99634a253a060adb1f0871a5a861624382e8ca6d086e54f03bed493\r\nTable 2: New Candidate Hashes\r\nb17863d41c0b915052fea85a354ec985280f4d38b46d64158a75b17ef89d76da\r\na8f0ff40d1e624dd2aad4d689ed47a900e4f719923647cacb58d1a4809c7bd31\r\nTable 3: Decoded Strings from New Candidate Samples\r\nu\r\nu\r\nhttps://18.222.249.59/uploaad\r\n./123\r\nok\r\n18.222.249.59:7777\r\ntcp\r\nPOST\r\nhttps://18.222.249.59:443/uploaad\r\n./123\r\nOK\r\ntitle\r\nendgame\r\nContent-Type\r\nmultipart/form-data\r\nfile\r\nhttps://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html\r\nPage 2 of 5\n\nendgame\r\nY23QyJCj%kAK\r\nPOST\r\nContent-Type\r\nTable 4: New Decoded Strings from Snake Ransomware Samples\r\nacctmgr.exe\r\nalertsvc.exe\r\nalmon.exe\r\nalsvc.exe\r\nalunotify.exe\r\nalupdate.exe\r\naluschedulersvc.exe\r\naphost.exe\r\nappsvc32.exe\r\napvxdwin.exe\r\nasupport.exe\r\navltmain.exe\r\nccap.exe\r\nccapp.exe\r\nccenter.exe\r\nccevtmgr.exe\r\nccproxy.exe\r\nccpxysvc.exe\r\nccsetmgr.exe\r\ncertificationmanagerservicent.exe\r\ncheckup.exe\r\ncka.exe\r\ncomhost.exe\r\ncpdclnt.exe\r\ncsinject.exe\r\ncsinsm32.exe\r\ncsinsmnt.exe\r\ndbserv.exe\r\ndefwatch\r\ndefwatch.exe\r\ndiskmon.exe\r\ndjsnetcn.exe\r\ndlservice.exe\r\ndltray.exe\r\ndoscan.exe\r\ndwhwizrd.exe\r\ndwwin.exe\r\nemlibupdateagentnt.exe\r\nentitymain.exe\r\nexecstat.exe\r\nscanexplicit.exe\r\nfirewallgui.exe\r\nfwcfg.exe\r\nfws.exe\r\nghost_2.exe\r\nnprotect.exe\r\nnpscheck.exe\r\nnpssvc.exe\r\nnscsrvce.exe\r\nnsctop.exe\r\nnsmdemf.exe\r\nnsmdmon.exe\r\nnsmdreal.exe\r\nnsmdsch.exe\r\nnsmdtr.exe\r\nofcdog.exe\r\nofcpfwsvc.exe\r\nolfsnt40.exe\r\nomslogmanager.exe\r\nopscan.exe\r\nop_viewer.exe\r\npagent.exe\r\npagentwd.exe\r\npatch.exe\r\npavbckpt.exe\r\npavjobs.exe\r\npavsrv52.exe\r\npccnt.exe\r\npccntupd.exe\r\npcctlcom.exe\r\npcscnsrv.exe\r\npctsauxs.exe\r\npctsgui.exe\r\npctssvc.exe\r\npctstray.exe\r\npmon.exe\r\npoproxy.exe\r\npqibrowser.exe\r\npqv2isvc.exe\r\nprevsrv.exe\r\nprocexp.exe\r\npsctris.exe\r\npsctrls.exe\r\npshost.exe\r\npsimreal.exe\r\npskmssvc.exe\r\npviewer.exe\r\npview.exe\r\npxeservice.exe\r\nqdcsfs.exe\r\nsavservice.exe\r\nsavui.exe\r\nsbserv.exe\r\nscanfrm.exe\r\nscfmanager.exe\r\nscfservice.exe\r\nscftray.exe\r\nschdsrvc.exe\r\nschupd.exe\r\nsdtrayapp.exe\r\nseestat.exe\r\nsemsvc.exe\r\nsesclu.exe\r\nsevinst.exe\r\nsgbhp.exe\r\nslee81.exe\r\nsmsectrl.exe\r\nsmselog.exe\r\nsmsesjm.exe\r\nsmsesp.exe\r\nsmsesrv.exe\r\nsmsetask.exe\r\nsmseui.exe\r\nsms.exe\r\nsmsx.exe\r\nsnac.exe\r\nsndmon.exe\r\nsndsrvc.exe\r\nsnhwsrv.exe\r\nsnicheckadm.exe\r\nsnichecksrv.exe\r\nsnicon.exe\r\nsnsrv.exe\r\nspbbcsvc.exe\r\nsrvload.exe\r\nsschk.exe\r\nssecuritymanager.exe\r\nssm.exe\r\nsvcharge.exe\r\nsvcntaux.exe\r\nsvdealer.exe\r\nsvframe.exe\r\nsvtray.exe\r\nswdsvc.exe\r\nsweepsrv.sys\r\nhttps://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html\r\nPage 3 of 5\n\nghosttray.exe\r\nicepack.exe\r\nidsinst.exe\r\ninicio.exe\r\nisntsmtp.exe\r\nisntsysmonitor\r\nispwdsvc.exe\r\nissvc.exe\r\nisuac.exe\r\nknownsvr.exe\r\nkpf4gui.exe\r\nkpf4ss.exe\r\nlmon.exe\r\nluall.exe\r\nlucallbackproxy.exe\r\nlucoms~1.exe\r\nlucomserver.exe\r\nlucoms.exe\r\nlwdmserver.exe\r\nmanagementagentnt.exe\r\nmcui32.exe\r\nmgntsvc.exe\r\nmrf.exe\r\nnavapsvc.exe\r\nnavapw32.exe\r\nnavectrl.exe\r\nnavelog.exe\r\nnavesp.exe\r\nnavshcom.exe\r\nnavw32.exe\r\nnavwnt.exe\r\nndetect.exe\r\nngctw32.exe\r\nngserver.exe\r\nnisoptui.exe\r\nnisserv.exe\r\nnisum.exe\r\nnmain.exe\r\nnpfmntor.exe\r\nqoeloader.exe\r\nqserver.exe\r\nras.exe\r\nrasupd.exe\r\nravalert.exe\r\nrav.exe\r\nravmond.exe\r\nravmon.exe\r\nravservice.exe\r\nravstub.exe\r\nravtask.exe\r\nravtray.exe\r\nravupdate.exe\r\nravxp.exe\r\nregmech.exe\r\nreportersvc.exe\r\nreportsvc.exe\r\nrfwmain.exe\r\nrfwproxy.exe\r\nrfwsrv.exe\r\nrfwstub.exe\r\nrnav.exe\r\nrnreport.exe\r\nrouternt.exe\r\nrsnetsvr.exe\r\nrstray.exe\r\nsav32cli.exe\r\nsavadminservice.exe\r\nsavfmsectrl.exe\r\nsavfmselog.exe\r\nsavfmsesjm.exe\r\nsavfmsespamstatsmanager.exe\r\nsavfmsesp.exe\r\nsavfmsesrv.exe\r\nsavfmsetask.exe\r\nsavfmseui.exe\r\nsavmain.exe\r\nsavroam.exe\r\nsavscan.exe\r\nswnetsup.exe\r\nswnxt.exe\r\nswserver.exe\r\nsymlcsvc.exe\r\nsymproxysvc.exe\r\nsymsport.exe\r\nsymtray.exe\r\nsymwsc.exe\r\nsysdoc32.exe\r\ntdimon.exe\r\ntfgui.exe\r\ntfservice.exe\r\ntftray.exe\r\ntfun.exe\r\ntiaspn~1.exe\r\ntmas.exe\r\ntmntsrv.exe\r\ntmpfw.exe\r\ntmproxy.exe\r\ntpsrv.exe\r\ntraflnsp.exe\r\ntrjscan.exe\r\ntrupd.exe\r\nucservice.exe\r\nupdtnv28.exe\r\nupfile.exe\r\nurllstck.exe\r\nusrprmpt.exe\r\nv2iconsole.exe\r\nvpc32.exe\r\nvpdn_lu.exe\r\nvprosvc.exe\r\nvptray.exe\r\nwebproxy.exe\r\nwfxctl32.exe\r\nwfxmod32.exe\r\nwfxsnt40.exe\r\nwinlog.exe\r\nwrspysetup.exe\r\nTable 5: Snake Ransomware YARA Rule\r\nrule Snake_Ransomware\r\n{\r\nmeta:   \r\nauthor = “CERT/CC RE Team”   \r\ndescription = “Snake Ransomware String Decoder Function”   \r\ndate = “21 Feb 2020”\r\nstrings:   \r\n$bytes = { 8D 05 ?? ?? ?? ?? 89 44 24 04 C7 44 24 08 05 00 00 00 E8 ?? ?? ?? ?? 8B 44 24 0C 89 44 24 64 8B 4C 24 10 89\r\n4C 24 18 8D 54 24 24 89 14 24 8D 15 ?? ?? ?? ?? 89 54 24 04 C7 44 24 08 05 00 00 00 E8 ?? ?? ?? ?? }\r\ncondition:   \r\nhttps://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html\r\nPage 4 of 5\n\n$bytes\r\n}\r\nReferences\r\n[1] https://twitter.com/VK_Intel/status/1214333066245812224\r\n[2] https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/\r\n[3]\r\nhttps://github.com/sysopfb/open_mal_analysis_notes/blob/master/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c16\r\n[4] https://github.com/cmu-sei/pharos\r\n[5] https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/\r\n[6] https://www.accenture.com/_acnmedia/pdf-106/accenture-technical-analysis-megacortex.pdf\r\n[7] https://github.com/v1ado/HIPS_LIPS\r\nSource: https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html\r\nhttps://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html"
	],
	"report_names": [
		"snake-ransomware-analysis-updates.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6337e1a65c67e843b28b017cc48c9106c0bf967c.pdf",
		"text": "https://archive.orkl.eu/6337e1a65c67e843b28b017cc48c9106c0bf967c.txt",
		"img": "https://archive.orkl.eu/6337e1a65c67e843b28b017cc48c9106c0bf967c.jpg"
	}
}