Snake Keylogger Detection Guide
Behavioral Indicators
Snake Keylogger exhibits several distinct runtime behaviors that can be detected through process monitoring and API hooking. The malware typically injects itself into legitimate processes, most commonly targeting web browsers (e.g., chrome.exe, firefox.exe, msedge.exe) and system processes like explorer.exe. Monitor for process hollowing techniques where a legitimate process is spawned in a suspended state, its memory is unmapped, and malicious code is written into the process space before resumption.
The keylogging component makes extensive use of Windows API calls for keyboard input capture. Look for repeated calls to SetWindowsHookEx with WH_KEYBOARD_LL or WH_KEYBOARD hooks, particularly from processes not typically associated with user input handling. The malware also frequently calls GetAsyncKeyState or GetKeyState in tight loops to capture keystrokes. These calls often originate from unexpected parent processes due to code injection.
Credential access patterns include monitoring clipboard data via GetClipboardData API calls, particularly for cryptocurrency wallet addresses. The malware captures form submissions from browsers by intercepting HTTP POST requests before encryption. It also targets credential storage locations, attempting to read browser login data files (such as Login Data files in Chrome’s profile directory) and saved password managers. Look for processes making unusual file reads to %LocalAppData%\\Google\\Chrome\\User Data\\Default\\Login Data or similar paths for other browsers.
Additional behaviors include screenshot capture at regular intervals using BitBlt or similar GDI functions, and attempts to disable security software by terminating processes related to antivirus or EDR solutions. The malware may create mutexes with names like “SnakeMutex” or “Global\[random hex]” to ensure single instance execution.
Network Indicators
Snake Keylogger uses HTTP/HTTPS protocols for command and control (C2) communication and data exfiltration. The malware typically beacons to its C2 server at regular intervals ranging from 30 seconds to 5 minutes, though newer variants may employ jitter to avoid predictable patterns. Beacon requests often contain encoded or encrypted data in POST parameters, with common parameter names like “id”, “data”, “info”, or “log”.
DNS queries may reveal C2 infrastructure through domains that follow specific patterns. Look for domains with randomly generated subdomains or those using DGA (Domain Generation Algorithm) characteristics, though Snake primarily uses hardcoded domains. Common TLDs observed include .com, .net, .org, and .ru. The malware may also use URL shortening services or legitimate cloud storage platforms (like pastebin.com) for C2 communication.
Data exfiltration occurs in compressed or encoded form, often using Base64 or custom XOR encoding. The exfiltrated data includes captured keystrokes, screenshots, clipboard contents, and stolen credentials. Traffic typically shows small outgoing POST requests (beacons) followed by larger data uploads when significant information has been collected. SSL/TLS certificates should be inspected for self-signed certificates or certificates with mismatched subject names.
Monitor for connections to unusual ports beyond standard HTTP/HTTPS (80, 443), particularly high-numbered ports (8000-50000). The malware may attempt to communicate over non-standard ports to bypass simple firewall rules.
File System Artifacts
Snake Keylogger drops several files to maintain persistence and store captured data. The primary executable is typically placed in:
%AppData%\\Microsoft\\[random folder name]\\[random name].exe%LocalAppData%\\Temp\\[random name].exe%ProgramData%\\[random folder]\\[random name].exe
The malware creates configuration and data files in similar locations:
%AppData%\\Microsoft\\config.datorsettings.ini- Contains C2 configuration and collection settings%Temp%\\log.tmpordata.bin- Temporary storage for captured keystrokes before exfiltration%AppData%\\Microsoft\\screenshots\\- Directory containing captured screenshots with timestamps in filenames
File naming conventions often use legitimate-sounding names to avoid suspicion, such as:
chrome_update.exewindows_service.exejava_updater.exe- Names mimicking legitimate software with slight misspellings
Typical file sizes range from 200KB to 2MB for the main executable. The malware may also create DLL files for injection purposes, typically named with random alphanumeric strings. Look for recently created files with compilation timestamps that don’t match their supposed vendor information (check PE headers via file analysis tools).
Registry and Persistence Mechanisms
Snake Keylogger employs multiple persistence mechanisms to survive system reboots. The most common method is through Run registry keys:
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run- Adds an entry with a name like “ChromeUpdate” or “WindowsDefender” pointing to the malware executableHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run- Less common but observed in some variants
The malware also creates scheduled tasks for persistence:
- Tasks named “GoogleUpdateTask”, “MicrosoftEdgeUpdate”, or similar legitimate-sounding names
- Tasks configured to run at user logon or at specific intervals
- Tasks with triggers that execute the malware from its dropped location
Service installation is less common but has been observed in some variants:
- Creation of a new service named similarly to legitimate Windows services
- Service DLL planting in
%SystemRoot%\\System32\\or%SystemRoot%\\SysWOW64\\
Other persistence techniques include:
- Browser extension installation (malicious Chrome extensions that capture form data)
- LNK file modification in startup folders (
%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\) - COM hijacking by modifying registry keys under
HKCR\\CLSID\\
The malware may create registry keys for configuration storage:
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Settings- Stores C2 addresses and collection intervalsHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies- May contain settings for disabling security features
YARA Rule Guidance
When creating YARA rules for Snake Keylogger detection, focus on both string-based and structural characteristics. The malware contains several identifiable strings in its unpacked form, though many samples are obfuscated. Look for:
String patterns related to keylogging functionality:
- References to keyboard APIs: “GetAsyncKeyState”, “SetWindowsHookEx”, “WH_KEYBOARD”
- Configuration strings: “config.dat”, “settings.ini”, “log.tmp”
- Mutex names: “SnakeMutex”, “Global\Mutex”, variations with hexadecimal strings
- User agent strings in network communication code
Encryption and encoding routines often contain identifiable byte sequences. Look for custom XOR routines with hardcoded keys (search for XOR operations followed by immediate values). The malware frequently uses Base64 encoding for exfiltrated data - look for Base64 alphabet strings and function calls to encoding libraries.
Structural characteristics include:
- Import Address Table (IAT) containing a combination of networking APIs (WinHTTP, WinINet), hooking APIs (SetWindowsHookEx), and screenshot functionality (GDI32 functions)
- Resource section containing encrypted configuration data
- Entry point code that checks for mutex existence and performs anti-debugging techniques
Many samples contain version information or author strings in their resources or overlay data. Search for “Snake”, “Keylogger”, or author handles in string tables. The malware often contains error messages in English or Russian that may be visible in unpacked samples.
For current samples and IOCs, refer to:
When implementing detection, combine multiple indicators across behavioral, network, file system, and registry dimensions for reliable identification. Regular updates to detection rules are necessary as the malware evolves its evasion techniques.