SNAKE Malware Installer Name Indicators

    Tuesday, August 20, 2024 In: Threat Research Print

    Date: 08/20/2024

    Severity: Medium

    Summary

    "SNAKE Malware Installer Name Indicators" refer to specific filenames or naming conventions used by the SNAKE malware, also known as "SEKUSEK" or "Evilnum." This malware is a sophisticated and stealthy tool typically used for espionage and data theft. The installer names are designed to be misleading or appear benign to avoid detection by security systems. Monitoring these indicators helps cybersecurity professionals identify and prevent SNAKE malware infections by recognizing and flagging suspicious files that match these naming patterns.

    Indicators of Compromise (IOC) List

    TargetFilename

    '\jpsetup.exe'

    '\jpinst.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (Resourcename in ("Sysmon") AND eventtype = "11") AND targetfilename in ("\jpsetup.exe","\jpinst.exe")

    Detection Query 2

    (Technologygroup = "EDR" ) AND targetfilename in ("\jpsetup.exe","\jpinst.exe")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.