{
	"id": "e596a7e4-4d57-41a2-8e24-5bd53da66aaa",
	"created_at": "2026-04-06T00:17:56.606862Z",
	"updated_at": "2026-04-10T13:11:36.1359Z",
	"deleted_at": null,
	"sha1_hash": "793b976a0c971b1c5f84c997b7dc130203d43d09",
	"title": "Reverse Engineering Snake Keylogger: Full .NET Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 154340,
	"plain_text": "Reverse Engineering Snake Keylogger: Full .NET Malware Analysis\r\nBy Lena aka LambdaMamba\r\nPublished: 2024-04-04 · Archived: 2026-04-05 19:18:40 UTC\r\nIntroduction\r\nIn order to understand malware comprehensively, it is essential to employ various analysis techniques and examine it from\r\nmultiple perspectives. These techniques include behavioral, network, and process analysis during sandbox analysis, as well\r\nas static and dynamic analysis during reverse engineering.\r\nI (Lena aka LambdaMamba), prefer to begin with sandbox analysis to understand the malware’s behavior. The insights from\r\nsandbox analysis provide a foundational understanding of what to anticipate and what specific aspects to investigate during\r\nthe reverse engineering process. Recognizing what to look for is crucial in reverse engineering because malware authors\r\noften employ a myriad of tricks to mislead analysts, as will be demonstrated in this reverse engineering walkthrough. We\r\nwill also be taking a look into how malware can be modded to make analysis easier.\r\nLet’s dive right into it!\r\nPreparation for Reverse Engineering\r\nThis sample has 4 stages, dynamic code execution, code reassembly, obfuscation, steganography, junk code, and various\r\nother anti-analysis techniques. We’ll eventually get into fun things like modding the malware, so stay with me here!\r\nThe modded Snake Keylogger\r\nThe sandbox analysis of this Snake Keylogger was covered in my previous article Analyzing Snake Keylogger in\r\nANY.RUN: a Full Walkthrough. From the sandbox analysis, I have a general understanding of what to look for during\r\nreverse engineering. These are some things I would look out for the Snake Keylogger during reverse engineering:\r\nMalware config: SMTP credentials used for data exfiltration\r\nInfostealing functionalities: Steals credentials from Browsers and Apps\r\nDefense evasion techniques: Move to Temp after execution, Checks and kills certain processes\r\nAnti-analysis techniques: Execution stops if not connected to internet, Self-Deletion after execution\r\nFor this Reverse Engineering walkthrough, I will be conducting static and dynamic analysis with the use of a decompiler\r\nand debugger. Thus, it is important to prepare an isolated environment that is specifically prepared for malware analysis.\r\nMalware Analysis Environment used in this Reverse Engineering Walkthrough:\r\nVirtualBox\r\nWindows 11\r\nFlare-VM\r\ndnSpy 32-bit\r\nDetect It Easy (DIE) \r\n.NET Reactor Slayer\r\nRecommended setups for safety:\r\nDisable Network Adapters to prevent accidental connection to the network\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 1 of 28\n\nMinimize resource sharing between guest and host, disable shared clipboard, drag and drop, etc. \r\nStage 1: pago 4094.exe\r\nDetermining the File Attributes\r\nThe executable “pago 4094.exe” is identical to the one covered in my Analyzing Snake Keylogger in ANY.RUN: a Full\r\nWalkthrough, and has the following attributes: \r\nSHA1 hash of “A663C9ECF8F488D6E07B892165AE0A3712B0E91F” \r\nMIME type of “application/x-dosexec” \r\nPE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nPutting “pago 4094.exe” through DIE (Detect it Easy) showed that the Library is “.NET(v4.0.30319)[-]” and the Linker is\r\nthe “Microsoft Linker(48.0)[GUI32]”.\r\n“pago 4094.exe” on DIE shows the Library and Linker\r\nSince “pago 4094.exe” is a 32-bit .NET malware, 32-bit dnSpy will be used for Reverse Engineering. This executable was\r\nopened as “mKkHQ (1.0.0.0)” in dnSpy.\r\nThe executable is opened as“mKkHQ (1.0.0.0)” on dnSpy\r\nStatic Analysis with the Decompiler\r\nThe entry point in a .NET executable is the method where execution starts upon launch, so I will start the analysis from the\r\nentry point. We can go to the Entry Point by right clicking “mKkHQ” in the Assembly Explorer, and selecting “Go to Entry\r\nPoint” in the dropdown menu. The entry point is under “Program”, and Main() could be observed in the decompiled code.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 2 of 28\n\nThe entry point that contains the Main function\r\nThis application was filled with code for a “Airplane Travelling Simulation” application. However, I know from the Snake\r\nKeylogger Sandbox Analysis that functionalities related to Airplane Travelling simulations were never observed.\r\nA bunch of irrelevant code related to an “Airplane Travelling” application\r\nThis means that the payload for the Snake Keylogger is loaded somewhere before the Airplane Travelling simulation\r\napplication starts. A suspicious block of code was observed, lines 91~96 and 100~104 in Form1,  InitializeComponent(). It\r\nuses GetObject() to get the data from a resource named “Grab”, and will be decrypted using the key ps in the For loop.\r\nA suspicious block of code before the “Airplane Travelling” application starts\r\n“Grab” is under the Resources of “mKkHQ”, and the contents were a bunch of gibberish when viewed in the memory.\r\nThe contents of “Grab” in the memory\r\nDetermining the Junk Code \r\nI commented out the suspicious block of code, re-compiled, and saved as “pago 4094_mod.exe”.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 3 of 28\n\nCommenting out the suspicious block of code\r\n“pago 4094_mod.exe” was executed in an ANY.RUN sandbox, which can be found here. It opens an application that asks\r\nfor input text files, and will start an airplane simulation application complete with a GUI.\r\nThe “Airplane Travelling” application on the ANY.RUN Sandbox\r\nThis means that the suspicious block of code (lines 91~96 and 100~104) are responsible for the malicious activities. \r\nDynamic Analysis with the Debugger \r\nI set the breakpoints, and started the debugger. (IMPORTANT: Before starting the debugger, please make sure your malware\r\nanalysis environment is isolated, and does not contain any important data as we will be executing malicious code.)\r\nThe byte array data2 contains the contents of “Grab” from the GetObject(“Grab”)  as expected when the program is run\r\nuntil Line 93.\r\nThe contents of byte array data2 when run until Line 93\r\nThe contents of data2 can be observed in the memory, which is identical to what we previously saw in “Grab” under\r\nResources.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 4 of 28\n\nThe contents of byte array data2 in memory when run until Line 93\r\nAfter the For loop responsible for decrypting the code, I could see that data2[0] contained 0x4D (“M” in ASCII) and\r\ndata2[1] contained 0x5A (“Z” in ASCII). This indicates that it’s the start of the DOS header (“MZ..”).\r\nThe contents of byte array data2 after decryption, which shows the start of the DOS header\r\nViewing data2 in memory showed the DOS header (indicated by “MZ”), DOS Stub (indicated by “This program cannot be\r\nrun in DOS mode”), and the PE header (indicated by “PE”).\r\nThe contents of byte array data2 in memory after decryption\r\nThe binary data is in the byte array data2, and Assembly.Load(data2) loads the binary data as an assembly into the current\r\napplication domain. Activator.CreateInstance(type, args) creates the instance and will start execution of the loaded assembly.\r\nUse of Assembly.Load to load the assembly\r\nThe loaded module is called “Aads”, and can be seen under the dnSpy Module tab, which I saved as a DLL. This “Aads.dll”\r\nwill be the next stage, namely stage 2.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 5 of 28\n\nThe module “Aads.dll” can be observed under the Modules Tab\r\nStage 2: Aads.dll\r\nDetermining the File Attributes\r\nThe “Aads.dll” has the following attributes: \r\nSHA1 hash of “244000E9D84ABB5E0C78A2E01B36DDAD8958D943” \r\nMIME type of “application/x-dosexec” \r\nPE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nPutting “Aads.dll” through DIE (Detect it Easy) showed that it’s a DLL (Dynamic Link Library), where the Library is\r\n“.NET(v2.0.50727)[-]” and the Linker is the “Microsoft Linker(8.0)[DLL32]”.\r\n“Aads.dll” on DIE shows the Library and Linker\r\nStatic Analysis with the Decompiler\r\nI opened “Aads.dll” in dnSpy 32-bit like the previous stage. There’s a lot of sorting and searching functions, but no code\r\nrelated to infostealing was observed. Based on the static analysis of “Aads.dll”, it seems like some data will be rearranged\r\ninto data that is responsible for the next stage.\r\nDecompiling the “Aads.dll” on dnSpy reveals a bunch of search and sort functions\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 6 of 28\n\nBack in Stage 1, GetObject() was used to get data from the Resources that was decrypted into the Stage 2 DLL. Thus, I\r\ndecided to look for GetObject(), in the hopes of finding the source data of the next stage.\r\nAfter looking around, I found GetObject(x10). Here, it uses the image data from a file, and this resource name is specified\r\ninside string variable x10.\r\nUsage of GetObject()\r\nDynamic Analysis with the Debugger \r\nI set the breakpoints on Line 475 and 477, and ran the debugger. I could see that x10 was “ivmSL” when run until Line 475.\r\nObtaining the filename used for GetObject() with the debugger\r\nThe “ivmsL” is under Airplane.Travelling’s resources. A noisy grainy image which looked like steganography could be\r\nobserved.\r\nThe steganography image “ivmsL” that is used in GetObject()\r\nThis is the contents of the file “ivmsL” when viewed in the memory.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 7 of 28\n\nThe contents of “ivmsL” in the memory\r\nThis image bitmap data will then go through various byte array searching and sorting algorithms. These include Heapsorts,\r\nQuicksorts.\r\nContents of the byte array array before the sorting is complete\r\nContents of the byte array array in memory before the sorting is complete\r\nAfter various searching and sorting operations, I could see that array[0] contained 0x4D (“M” in ASCII) and array[1]\r\ncontained 0x5A (“Z” in ASCII). This indicates that it’s the start of the DOS header (“MZ..”).\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 8 of 28\n\nThe contents of byte array array when sorting is complete, which shows the start of the DOS header\r\nViewing array in memory showed the DOS header (indicated by “MZ”), DOS Stub (indicated by “This program cannot be\r\nrun in DOS mode”), and the PE header (indicated by “PE”).\r\nThe contents of byte array array in memory when sorting is complete\r\nThe loaded module is called “Tyrone”, and can be seen under the dnSpy Module tab, which I saved as a DLL. This\r\n“Tyrone.dll” will be the next stage, namely stage 3.\r\nThe module “Tyrone.dll” can be observed under the Modules Tab\r\nStage 3: Tyrone.dll\r\nDetermining the File Attributes\r\nThe “Tyrone.dll” has the following attributes: \r\nSHA1 hash of “6523D31662B71A65533B11DA299240F0E8C1FF2C” \r\nMIME type of “application/x-dosexec” \r\nPE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nPutting “Tyrone.dll” through DIE (Detect it Easy) showed that it’s a DLL (Dynamic Link Library), where the Library is\r\n“.NET(v2.0.50727)[-]”, Compiler is “VB.NET(-)[-]” and the Linker is “Microsoft Linker(8.0)[DLL32]”.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 9 of 28\n\n“Tyrone.dll” on DIE shows the Library, Compiler, and Linker\r\nDeobfuscation \r\n“Tyrone.dll” was opened in dnSpy 32-bit, and is heavily obfuscated. The Class and function names were not human-readable, and the code was difficult to analyze.\r\nDecompiling the “Tyrone.dll” on dnSpy reveals obfuscated code\r\nI deobfuscated “Tyrone.dll” using .NET Reactor Slayer, with all options selected. \r\nDeobfuscating the “Tyrone.dll”\r\nStatic Analysis with the Decompiler\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 10 of 28\n\nAfter deobfuscating, the code was much easier to read. After looking around, a bunch of junk code related to a “pandemic\r\nsimulation” was observed. I know they are junk code, because these functionalities were never observed back in my sandbox\r\nanalysis.\r\nA bunch of junk code were observed in “Tyrone.dll”\r\nAfter looking around the deobfuscated code, there was no function that performed the infostealer activities. This means that\r\nthere is likely a next stage. \r\nThus, I looked for GetObject() again. As expected, there was GetObject(), which gets the data from a resource whose name\r\nis specified by string variable string_0.\r\nUsage of GetObject()\r\nBased on static analysis of the deobfuscated code, a bunch of sorting takes place on the byte array data from GetObject().\r\nDynamic Analysis with the Debugger \r\nUmHYCAPJIp() and \\u0020 in the obfuscated code corresponds to method_0() and string_0 respectively in the deobfuscated\r\ncode. Breakpoints were set on the obfuscated code, and after running until the breakpoint, \\u0020 was  “wHzyWQnRZ”.\r\nObtaining the filename used for GetObject() with the debugger\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 11 of 28\n\nThe “wHzyWQnRZ” is under the Resources of “Tyrone”, and the contents were a bunch of gibberish when viewed in the\r\nmemory.\r\nThe contents of “wHzyWQnRZ” in the memory\r\nI let the program run, and after a bunch of byte array rearranging, I could see that \\u0020[0] contained 0x4D (“M” in ASCII)\r\nand \\u0020[1] contained 0x5A (“Z” in ASCII). This indicates that it’s the start of the DOS header (“MZ..”).\r\nThe contents of byte array \\u0020 after the sorting is complete, which shows the start of the DOS header\r\nViewing \\u0020 in memory showed the DOS header (indicated by “MZ”), DOS Stub (indicated by “This program cannot be\r\nrun in DOS mode”), and the PE header (indicated by “PE”). This is the next stage executable, namely stage 4, and I saved\r\nthis as an EXE file.\r\nThe contents of byte array \\u0020 in memory when sorting is complete\r\nStage 4: lfwhUWZlmFnGhDYPudAJ.exe\r\nDetermining the File Attributes\r\nThis stage’s executable was called “lfwhUWZlmFnGhDYPudAJ.exe”, and has the following attributes:\r\nSHA1 Hash of “86BE2A34EACBC0806DBD61D41B9D83A65AEF69C5”\r\nMIME type of “application/x-dosexec” \r\nPE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nPutting “lfwhUWZlmFnGhDYPudAJ.exe” through DIE (Detect it Easy) showed that the Library is “.NET(v4.0.30319)[-]”,\r\nCompiler is “VB.NET(-)[-]”, and Linker is “Microsoft Linker(80.0)[GUI32,admin]”.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 12 of 28\n\n“lfwhUWZlmFnGhDYPudAJ.exe” on DIE shows the Library, Compiler and Linker\r\nSandbox Analysis\r\nDetonating “lfwhUWZlmFnGhDYPudAJ.exe” in an ANY.RUN sandbox showed that it was detected as a Snake Keylogger.\r\nThe task can be found here.\r\nThe overview of “lfwhUWZlmFnGhDYPudAJ.exe” in an ANY.RUN sandbox\r\nDeobfuscation\r\n“lfwhUWZlmFnGhDYPudAJ.exe” was opened in dnSpy 32-bit, and was heavily obfuscated. The class and function names\r\nwere not human-readable, and the code was difficult to follow. I deobfuscated it using .NET Reactor Slayer again with all\r\nthe options selected.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 13 of 28\n\nDecompiling the “lfwhUWZlmFnGhDYPudAJ.exe” on dnSpy reveals obfuscated code\r\nDeobfuscating the “lfwhUWZlmFnGhDYPudAJ.exe”\r\nRenaming the Class and Functions\r\nAfter deobfuscation, the code was much easier to read. After looking around, the infostealing functionalities were finally\r\nfound. In order to better understand and follow the code, I did a lot of manual renaming of the class and functions. All the\r\nmodified names have “lena_” prefix.\r\nThe left shows the deobfuscated code, and the right shows the deobfuscated and manually renamed code\r\nAnalyzing the Snake Keylogger Code \r\nExtracting the Malware Config\r\nIn this section, I will be analyzing the Snake Keylogger code that is responsible for the malicious activities. \r\nThe malware config was observed in Class6, however it was encrypted with a hard coded encryption key.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 14 of 28\n\nThe malware config that contains the encryption key, and the encrypted SMTP information\r\nThe config is decrypted using lena_crypt(), with the hardcoded key lena_key.\r\nThe algorithm used for decrypting the SMTP information\r\nI converted this decryption code to Python. The first 8 bytes of the MD5 hash of\r\n“BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr” is used for the\r\ndecryption key, namely “6fc98cd68a1aab8b”. It uses this key to decrypt the Base64 decoded config string with DES (ECB\r\nmode).\r\nfrom Crypto.Cipher import DES\r\nfrom Crypto.Hash import MD5\r\nimport base64\r\ndef lena_decrypt_snake(text, key_string):\r\n try:\r\n key = MD5.new(key_string.encode('ascii')).digest()[:8]\r\n cipher = DES.new(key, DES.MODE_ECB)\r\n decrypted_data = cipher.decrypt(base64.b64decode(text))\r\n decrypted_text = decrypted_data.decode('ascii', errors='ignore')\r\n padding_len = decrypted_data[-1]\r\n if padding_len \u003c len(decrypted_data):\r\n return decrypted_text[:-padding_len]\r\n return decrypted_text\r\n except Exception as e:\r\n return str(e)\r\nlena_key = \"BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr\"\r\nprint(\"lena_sender_email_addr: \", lena_decrypt_snake(\"I22WW+qzjWDd9uzIPosYRadxnZcjebFO\", lena_key))\r\nprint(\"lena_sender_email_pw: \", lena_decrypt_snake(\"MrZp4p9eSu2QFqjr3GQpbw==\", lena_key))\r\nprint(\"lena_SMTP_server: \", lena_decrypt_snake(\"XHGvc06cCeeEGUtcErhxrCgs7X5wecJ1Yx74dJ0TP3M=\", lena_key))\r\nprint(\"lena_receiver_email_addr: \", lena_decrypt_snake(\"I22WW+qzjWDd9uzIPosYRadxnZcjebFO\", lena_key))\r\nprint(\"lena_SMTP_port: \", lena_decrypt_snake(\"oXrxxBiV5W8=\", lena_key))\r\nprint(\"lena_padding: \", lena_decrypt_snake(\"Yx74dJ0TP3M=\", lena_key))\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 15 of 28\n\nThe Python code that decrypts the SMTP information\r\nWhen I ran the Python code with the strings in Class6, the malware config revealed itself. These were the SMTP information\r\nused for exfiltrating the data, which included the sender email address, password, SMTP server, recipient email address, and\r\nSMTP port. These are the same credentials observed in the Snake Keylogger Sandbox Analysis.\r\nThe decrypted SMTP information obtained from the Python code\r\nThe Main Functionalities \r\nLet’s take a look at what the actual payload of the Snake Keylogger does. It starts off by moving the executable to the Temp\r\ndirectory, and naming it after the current time.\r\nThe code responsible for moving the executable to Temp\r\nAfter that, it will collect data from various places, including Browsers (e.g. Chrome, Comodo, Opera, Microsoft Edge, etc.),\r\nApplications (e.g. Outlook, Discord, etc.).\r\nThe calls from Main() that collects data from various places, mostly browsers\r\nFor example, this is the code segment responsible for collecting login data from Chrome. The login data file for Chrome is\r\nin “\\Google\\Chrome\\User Data\\Default\\Login Data”, and is a SQLite database file that contains saved login information.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 16 of 28\n\nThe code responsible for collecting Chrome login data\r\nThis is the code segment responsible for collecting saved login data from Microsoft Edge. The login data file for Microsoft\r\nEdge is in “\\Microsoft\\Edge\\User Data\\Default\\Login Data”, and is a SQLite database file that contains saved login\r\ninformation.\r\nThe code responsible for collecting Microsoft Edge login data\r\nIt also collects authentication tokens from Discord, and this is the code segment responsible for it. Discord stores its\r\nLevelDB database files in “\\discord\\Local Storage\\leveldb”, and may contain the user’s authentication token. With the\r\nauthentication token, the attacker can gain unauthorized access to the victim’s Discord account without a password.\r\nThe code responsible for collecting Discord tokens\r\nFinally, it will exfiltrate all this collected information, via FTP, SMTP, or Telegram.\r\nThe calls from Main() that exfiltrates the collected data\r\nThis is the code responsible for exfiltrating with FTP. If the Snake Keylogger is configured to use FTP, it creates a FTP\r\nrequest. The FTP credentials are hard-coded into the Snake Keylogger code (“lena_padding_1” and “lena_padding_2” in\r\nthis case), however, this Snake Keylogger sample is configured to use SMTP, so the code does not include the FTP\r\ncredentials. Once the stolen data is prepared, it uploads it to the server with FTP.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 17 of 28\n\nThe code responsible for FTP exfiltration\r\nThis Snake Keylogger sample is configured to use SMTP by default, and this is the code responsible for exfiltrating with\r\nSMTP. If the Snake Keylogger is configured to use SMTP, it constructs an email with MailMessage, and prepares the email\r\nsender address, receiver address, subject, body, and the stolen data as a text attachment. It then uses the SMTP credentials\r\nhardcoded in the malware configuration to authenticate and exfiltrate via SMTP with smtpClient.Send().\r\nThe code responsible for SMTP exfiltration\r\nThis is the code responsible for exfiltrating with Telegram. If the Snake Keylogger is configured to use Telegram, it creates\r\nthe Telegram API request URL, with the bot token (“lena_padding_4” in this case) and chat ID (“lena_padding_5” in this\r\ncase) where the data will be sent. However, this Snake Keylogger sample is configured to use SMTP, so the code does not\r\ninclude the Telegram bot token and chat ID.\r\nThe code responsible for Telegram exfiltration\r\nOther Interesting Functionalities \r\nHere are some other interesting code segments in the Snake Keylogger. This code segment searches and kills processes\r\nrelated to security and monitoring. These processes include antiviruses (Norton, F-Prot, Avira, Kaspersky aka Avp, etc.),\r\nnetwork monitoring tools (Wireshark, Snort, etc.), debuggers (OllyDbg, etc.), firewalls (ZoneAlarm, Outpost, BlackIce,\r\netc.).\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 18 of 28\n\nThe code responsible for searching and killing processes related to security and monitoring\r\nThis code is responsible for taking screenshots. It uses a Graphics object to capture the entire screen, saves this as a PNG in\r\nthe “SnakeKeylogger” folder, and exfiltrates it.\r\nThe code responsible for taking screenshots\r\nThis code is responsible for stealing and exfiltrating clipboard data.\r\nThe code responsible for stealing and exfiltrating clipboard data\r\nThere is a Keylogger class that is responsible for the keylogging activities.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 19 of 28\n\nThe Keylogger class with Keylogging functions\r\nIt monitors keystrokes with the event handler for the KeyDown and KeyUp event.\r\nCode segment related to keystroke monitoring\r\nIt also identifies the keystrokes, and checks for special keys like Backspace, Tab, Enter, Space, End, Delete, etc.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 20 of 28\n\nCode segment related to keystroke identification\r\nModding the Malware\r\nBefore we get into this section, please understand that we are only going to mod the malware to make analysis easier. Please\r\ndo not abuse this knowledge!\r\nModding Anti-Analysis Functionalities \r\nIf I tried to run the Stage 4 payload in an environment not connected to the internet, an exception will be thrown and will\r\nexit.\r\nAn exception is thrown\r\nI edited the code, so that the Snake Keylogger will not terminate execution depending on internet connectivity, and not\r\ncheck the IP with checkip.dyndns.org as observed in the Snake Keylogger Sandbox Analysis.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 21 of 28\n\nThe code responsible for connectivity checks are commented out\r\nUpon execution, it will delete itself as observed in the Snake Keylogger Sandbox Analysis. Thus, I’ve modded it so it\r\ndoesn’t delete itself to make debugging easier.\r\nThe code responsible for self-deletion is commented out\r\nUpon execution, it will move itself to Temp as also observed in Snake Keylogger Sandbox Analysis. Thus, I also modded it\r\nso it does not move itself to Temp.\r\nThe code responsible for moving to Temp is commented out\r\nIt will now continue execution without being connected to the internet, not delete itself or move itself to Temp after this\r\nmodification. This will make dynamic analysis in the isolated malware analysis environment easier.\r\nModding the SMTP credentials\r\nI wrote a script in Python that encrypts the malware config. I made a throwaway Outlook account, where the SMTP server is\r\nsmtp-mail.outlook.com. \r\nThe first 8 bytes of the MD5 hash of\r\n“BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr” is used for the\r\ndecryption key, namely “6fc98cd68a1aab8b”. It then uses this key to encrypt the string with DES (ECB mode), and Base64\r\nencoding is applied to the encrypted string.\r\nfrom Crypto.Cipher import DES\r\nfrom Crypto.Hash import MD5\r\nfrom Crypto.Util.Padding import pad\r\nimport base64\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 22 of 28\n\ndef lena_encrypt_snake(plaintext, key_string):\r\n try:\r\n key = MD5.new(key_string.encode('ascii')).digest()[:8]\r\n cipher = DES.new(key, DES.MODE_ECB)\r\n padded_text = pad(plaintext.encode('ascii'), DES.block_size)\r\n encrypted_data = cipher.encrypt(padded_text)\r\n encrypted_text = base64.b64encode(encrypted_data).decode('ascii')\r\n return encrypted_text\r\n except Exception as e:\r\n return str(e)\r\nlena_key = \"BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr\"\r\nprint(\"lena_sender_email_addr: \", lena_encrypt_snake(\"\u003cREDACTED\u003e@outlook.com\", lena_key))\r\nprint(\"lena_sender_email_pw: \", lena_encrypt_snake(\"\u003cREDACTED\u003e\", lena_key))\r\nprint(\"lena_SMTP_server: \", lena_encrypt_snake(\"smtp-mail.outlook.com\", lena_key))\r\nprint(\"lena_receiver_email_addr: \", lena_encrypt_snake(\"\u003cREDACTED\u003e@proton.me\", lena_key))\r\nprint(\"lena_SMTP_port: \", lena_encrypt_snake(\"587\", lena_key))\r\nThe Python code that encrypts the SMTP information\r\nI ran the SMTP information through the encryption code.\r\nThe encrypted SMTP information obtained from the Python code\r\nI added that into the malware config, and changed TLS to “True” as Outlook SMTP requires STARTTLS/TLS on port 587.\r\nThe modified and encrypted SMTP information is added to the config\r\nModding for Customization\r\nI changed the executable icon to my profile picture, and the file details using Resource Hacker.\r\nUsing Resource Hacker to customize the File details\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 23 of 28\n\nI also added some functionality that changes the background picture, so I know when the Snake Keylogger has executed. I\r\nadded my signature digital white snake wallpaper under the Resources.\r\nLena’s Digital White Snake Wallpaper\r\nI added a new function lena_snek() that gets the image from Resources, temporarily saves it as a PNG in /Temp, and sets\r\nthat as the background picture when the executable starts.\r\nCode segment for background change\r\nI also added a new function lena_save_txt() that saves the collected information on the Desktop as “Passwords.txt” and\r\n“User.txt”, so I can observe what was stolen without viewing the PCAP or have access to the exfiltration email.\r\nCode segment for saving collected information as a text file\r\nExecuting the Modded Malware in a Sandbox\r\nI detonated the modded Snake Keylogger in the ANY.RUN Sandbox, which can be found here.\r\nBefore detonating the modded Snake Keylogger on an ANY.RUN Sandbox\r\nUpon execution, the background changed to my digital white snake wallpaper. This indicates that the modded Snake\r\nKeylogger has successfully executed.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 24 of 28\n\nDetonating the modded Snake Keylogger on an ANY.RUN Sandbox changes the background\r\nShortly after, “Passwords.txt” and “User.txt” showed up on the Desktop.\r\nThe collected information is saved as a text file on the Desktop\r\nThe contents of “Passwords.txt” and “User.txt” on the Desktop can be seen below. These are credentials I saved onto Google\r\nChrome before detonating the Snake Keylogger.\r\n“Passwords.txt” on the left, “User.txt” on the right in an ANY.RUN sandbox\r\nAfter executing the Snake Keylogger, I received the “Passwords.txt” and “User.txt” from the throwaway Outlook email.\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 25 of 28\n\nThe email I received from the throwaway email account\r\nThis is consistent with the text file saved onto the Desktop, as well as what was observed back in the PCAP of the sandbox\r\nanalysis. However, as Outlook’s SMTP uses TLS/STARTTLS, the contents of these text files are encrypted and cannot be\r\nviewed in the PCAP.\r\n“Passwords.txt” on the left, “User.txt” on the right\r\nThe email can be seen under “Sent Items” in my throwaway Outlook account which was used to send the email.\r\nThe email from the sender’s perspective\r\nThe malware config can be found in ANY.RUN’s Malware Configuration.\r\nThe Malware Configuration for the Snake Keylogger on ANY.RUN\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 26 of 28\n\nConclusion\r\nThis walkthrough demonstrated the process of reverse engineering a .NET malware, specifically the Snake Keylogger. It\r\nalso highlighted the importance of employing multiple analysis techniques.\r\nStarting with sandbox analysis to gain a general understanding of the malware’s expected behavior is crucial for reverse\r\nengineering, as it guides us on what to look for especially when faced with various anti-analysis techniques employed by\r\nmalware authors to deter analysts.\r\nMy prior sandbox analysis, Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough, provided me with insights into\r\nwhat to expect. Thus, despite encountering challenges such as junk code, obfuscation, multiple stages, steganography,\r\ndynamic code execution, and code reassembly, I knew what to look for during the reverse engineering process.\r\nFinally, I also demonstrated how malware can be modded to make analysis easier.\r\nAbout ANY.RUN\r\nANY.RUN is a cloud-based malware analysis platform designed to support the work of security teams. It boasts a user base\r\nof 400,000 professionals who utilize the platform for threat analysis on Windows and Linux cloud virtual machines.\r\nWith ANY.RUN, you security team can enjoy:\r\nInstant detection: ANY.RUN can detect malware and identify various malware families using YARA and Suricata\r\nrules within approximately 40 seconds of file upload.\r\nHands-on analysis: In contrast to many automated tools, ANY.RUN offers interactive capabilities, allowing users to\r\nengage directly with the virtual machine through their browser. This feature helps prevent zero-day exploits and\r\nadvanced malware that can bypass signature-based detection.\r\nLow cost: ANY.RUN’s cloud-based nature makes it a budget-friendly solution for businesses, eliminating the need\r\nfor setup or maintenance efforts from the DevOps team.\r\nTraining functionality: ANY.RUN’s user-friendly interface enables even junior SOC analysts to quickly learn how\r\nto analyze malware and extract indicators of compromise (IOCs).\r\nGet a personalized demo of ANY.RUN for your team.\r\nSchedule a call with us →\r\nAppendix 1: IOC\r\nName pago 4094.exe Aads.dll\r\nMD5  1A0F4CC0513F1B56FEF01C815410C6EA 60A14FE18925243851E7B89859065C24\r\nSHA1 A663C9ECF8F488D6E07B892165AE0A3712B0E91F 244000E9D84ABB5E0C78A2E01B36DDA\r\nSHA256 D483D48C15F797C92C89D2EAFCC9FC7CBE0C02CABE1D9130BB9069E8C897C94C 6CDEE30BA3189DF070B6A11A2F80E84\r\nSSDEEP 12288:PXPZDbCo/k+n70P4uR87fD0iBTJj1ijFDTwA:hOz+IPz6/PF1ihDTwA 1536:kEMoTcQA2YULtLNvpQy59F/ok19c\r\nAppendix 2: Snake Keylogger Config Decryption Python Code\r\nfrom Crypto.Cipher import DES\r\nfrom Crypto.Hash import MD5\r\nimport base64\r\ndef lena_decrypt_snake(text, key_string):\r\n try:\r\n key = MD5.new(key_string.encode('ascii')).digest()[:8]\r\n cipher = DES.new(key, DES.MODE_ECB)\r\n decrypted_data = cipher.decrypt(base64.b64decode(text))\r\n decrypted_text = decrypted_data.decode('ascii', errors='ignore')\r\n padding_len = decrypted_data[-1]\r\n if padding_len \u003c len(decrypted_data):\r\n return decrypted_text[:-padding_len]\r\n return decrypted_text\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 27 of 28\n\nexcept Exception as e:\r\n return str(e)\r\nLena aka LambdaMamba\r\nI am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming,\r\nwriting, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as\r\nwell as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by snakes,\r\nwhich includes the Snake Malware!\r\nCheck out:\r\nMy website\r\nMy LinkedIn profile\r\nI am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming,\r\nwriting, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as\r\nwell as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by snakes,\r\nwhich includes the Snake Malware! Check out:\r\nMy website\r\nMy LinkedIn profile\r\nSource: https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nhttps://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/\r\nPage 28 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/"
	],
	"report_names": [
		"reverse-engineering-snake-keylogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434676,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/793b976a0c971b1c5f84c997b7dc130203d43d09.pdf",
		"text": "https://archive.orkl.eu/793b976a0c971b1c5f84c997b7dc130203d43d09.txt",
		"img": "https://archive.orkl.eu/793b976a0c971b1c5f84c997b7dc130203d43d09.jpg"
	}
}