So normally, it is easier to analyze .NET variants of this malware as there are nearly no obfuscation, (maybe some simple encryption and variable names) so I decided to get C++ compiled binary around 1mb and analyze it, but I checked binary graph, anti-debug techniques and I think only protection they put is, checking if "IsDebuggerPresent", like there is nothing else, everything is so clear so I will just list key points of malware.
First time I opened malware in ghidra, the thing that was so interesting to me was, there a lot of imports of APIs and none of them were hidden or anything. Just wanted to check 1 of the APIs, found reference to it and traced back to see where the call was from and I hit the jackpot.
The Function at 0x414800 :
As you can see there is "if" statement, why? at first it actually initialize, the struct of the functions, luckily all of them have clear names so it is easy to understand what they do. Alright so, after initializing, other functions can search for function names one by one and find the function they need. Also, malware gives an hint on what these are, if you try to search for references of "IsDebuggerPresent", you will find:
Funny right? Malware literally tells us everything we need. This is AutoIT script, If you wonder what it is, it is used for automation processes using keyboard, mouse movement etc. Note: You can also patch IsDebuggerPresent and debugger without any issue, or just use scyllahide.
Note 2: I also forgot to mention that in "strings" of the malware you can easily see BACKSPACE, ESC, Mouse related strings, numpad etc. the strings that are related to date/time etc.
What we found out so far is, malware is keylogger and botnet, maybe there are more that I missed but I believe I got everything right.
Now, to understand in which order the malware calls functions, I found a technique that you can also write r2 or x32dbg script to automate:
First we put breapoint at, 0x414800, after breakpoint is hit, you gonna see the value in stack is "0x0", so it is only for initialization stage, continue one more time and check call stack, call is from 0x41C64A.
So, it is obvious, this function searches for specific function name, if you put breakpoint at _wcscmp 0x41C654, you can see every function it tries to search for and maybe you can even trace into the functions for more detail.
I believe this is enough for SnakeKeylogger analysis.