Overview

overview

10

Static

static

3

7d0aa3ac75...18.exe

windows7-x64

7

7d0aa3ac75...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2024 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d0aa3ac75755d1f7b67f12d0a362356_JaffaCakes118.exe

  • Size

    857KB

  • MD5

    7d0aa3ac75755d1f7b67f12d0a362356

  • SHA1

    2c7308e44a5a72ba8c70ac7d846b8b3c1878461a

  • SHA256

    5610b2906ecd713913b4b7e2975788cecb0d19abf94a16d1f81d3b43e1b9adda

  • SHA512

    4b419222720e3ac88c4f166da8f2675bf772703728d7763dd471e4b0f180d2d71c2fe1ac6dd8f1d6747780c0ad24ef7556b198047853d2d9da389085b15810e1

  • SSDEEP

    12288:gsQ7lK3+yssh0MVIIu5a4chjuWXPm02elSqIYK3+mi3Y7ELzXbkU5d2BnCtz:grKu7shJjBPm0jkR9OmI4qzQU5dC

Score
10/10
hawkeye_rebornm00nd3v_loggeragilenetcollectioninfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:     smtp
  • Host:
    smtp.bestbirdss.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Cfv)Prr8
Mutex

dc1aa356-573e-4e3b-ad69-c046a924da8c

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Cfv)Prr8 _EmailPort:587 _EmailSSL:false _EmailServer:smtp.bestbirdss.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:30 _MeltFile:false _Mutex:dc1aa356-573e-4e3b-ad69-c046a924da8c _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d0aa3ac75755d1f7b67f12d0a362356_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7d0aa3ac75755d1f7b67f12d0a362356_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7d0aa3ac75755d1f7b67f12d0a362356_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\655.exe"
      2⤵
        PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\655.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Users\Admin\AppData\Local\655.exe
          "C:\Users\Admin\AppData\Local\655.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5032
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2296
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5D1A.tmp"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:5068
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6122.tmp"
              5⤵
              • Accesses Microsoft Outlook accounts
              PID:3404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\655.exe
      Filesize

      857KB

      MD5

      7d0aa3ac75755d1f7b67f12d0a362356

      SHA1

      2c7308e44a5a72ba8c70ac7d846b8b3c1878461a

      SHA256

      5610b2906ecd713913b4b7e2975788cecb0d19abf94a16d1f81d3b43e1b9adda

      SHA512

      4b419222720e3ac88c4f166da8f2675bf772703728d7763dd471e4b0f180d2d71c2fe1ac6dd8f1d6747780c0ad24ef7556b198047853d2d9da389085b15810e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp5D1A.tmp
      Filesize

      4KB

      MD5

      63a3d218b0d233efc9806729feba705a

      SHA1

      3cda6c59e0b8115d8538c8ff0d94a49294d516ac

      SHA256

      66ceb453b5931baa8d942d514cc1dcc41a24ab59313c0621daa9920bd0566bfd

      SHA512

      d0cfb106b57a4e90523c194d073a131bc65461d8e792b0be51aef89aa413dded53c2aba723fc677f68b1211411a0e105b5771cafa045d3e11d54db578577b683

      Download Submit

    • memory/2296-49-0x00000000051A0000-0x00000000051B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2296-48-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2296-29-0x0000000005430000-0x0000000005496000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2296-28-0x00000000051A0000-0x00000000051B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2296-27-0x0000000007740000-0x00000000077B6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2296-26-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2296-23-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2852-9-0x0000000005A20000-0x0000000005A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2852-13-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2852-0-0x00000000009B0000-0x0000000000A8C000-memory.dmp

      Filesize

      880KB

      Download

    • memory/2852-1-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2852-2-0x00000000057C0000-0x00000000057F0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2852-4-0x00000000058D0000-0x0000000005962000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2852-5-0x0000000005A20000-0x0000000005A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2852-3-0x0000000005DA0000-0x0000000006344000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2852-6-0x0000000005830000-0x0000000005838000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2852-8-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2852-7-0x0000000005850000-0x000000000585E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3404-42-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3404-44-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3404-45-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3404-47-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/5032-21-0x0000000005B50000-0x0000000005B5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5032-25-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5032-22-0x0000000006A10000-0x0000000006AAC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/5032-20-0x0000000005B60000-0x0000000005B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5032-19-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5032-18-0x0000000005B60000-0x0000000005B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5032-17-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5068-33-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/5068-34-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/5068-39-0x0000000000460000-0x0000000000529000-memory.dmp

      Filesize

      804KB

      Download

    • memory/5068-40-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/5068-31-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download