Overview

overview

10

Static

static

3

eb9c1e590e...18.exe

windows7-x64

10

eb9c1e590e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    eb9c1e590efe43a4e30b614657e68fd0

  • SHA1

    c503a0e0fcee9a1461587830b8d114d33fdd0287

  • SHA256

    32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82

  • SHA512

    a726311927ec6be8783b357ffc8e9833c4bc7f31f2d47a05bed71ce59a09985e1a4dc39bd87e4979e0814ac0aea7e22cbcdcb720d05995e74b1e69deb8a21488

  • SSDEEP

    12288:xI6Dr6HtQctUGQWgijsqnAy0w9y4jq9y/hmkcKPFM:SecCi/l9y/mh1cYF

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 9 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 9 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 13 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • NTFS ADS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe":ZONE.identifier & exit
      2⤵
      • NTFS ADS
      PID:1708
    • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
      "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
        3⤵
        • NTFS ADS
        PID:544
      • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ebis.pro/images/invoice_img.png
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1512
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1740
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:484
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2524
      • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
        "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 1684 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 1684 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
        3⤵
        • Executes dropped EXE
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b7353a8130da898b382a5c16ddbde81a

    SHA1

    2ab64b3a60ae6d243cc1918eeea36a38a55dd362

    SHA256

    600ddc6d7b5058b26cdee4a86020d7625c61a5b95161fc3f36da8149913a70db

    SHA512

    c6eb3c374db6ac9b5cbef4db26c5d6d72b24185680daf10f17046ee67997aadd53570f08569c61830197b7e7485ed253364be046439a61185827941b1db8d473

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2272fa0019757bac53fdc6c0788034b1

    SHA1

    ebac4b25e85a295b252b1dc9711210c96c6e1b45

    SHA256

    ed4bba0261aaa4795a490c109d172a30f56dbbca6e0032eb5d8bd2f2bb97bd35

    SHA512

    eb44d0d7d3993effc99b3b82fb06e5142889389327a7642c08144cc411014ddd3c67394bce8eaae8e6762662946e3d65714bc1214495cc0b85f7cfb7c6197597

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9001656b2d10fba0f6c31de29c5fd9d2

    SHA1

    9352653ab14efdc4a1e68f5e3d7489810b60f91d

    SHA256

    8e36b1bfb211bc38de26e8113ea6fac80b6302b19a5126a54e79e4f3893eee93

    SHA512

    cc39404cdb3db55f4c3a40d357b18624832c5714cf1264f889a2c7ed5beaffef0e7177321c7df8248ed466f450c359149cff2a980fa89cefd630f454acf88616

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ca5f0c3ddc993a233926f8fa2c193af1

    SHA1

    c7d2ce8ed58dbecf508329076b558e9fb4743958

    SHA256

    5069f8ba9a11caa81277227bb8c72782689c1ed6f4e88c3510306b6e128edda6

    SHA512

    0d6c463f722b6eaa1beaa326192963be1c59c969c8fd65a1a2474b57e0abeae59e785812f5ebf8f4cf6963fd5efbfa03a1e8ec45db14ab3b60d06b5ea778fbd8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a6c03dd6497dc5dd940f1cef217f1150

    SHA1

    bd8b887188f951be05f79df6be4aadefb2084a71

    SHA256

    971054f959f0344f6baa399fb78b66632d9def7ed2a289f986d6aaf2e19b83db

    SHA512

    af7dc4798ee7b1ca3fe9d89ebad12f8835f030c6caabca545df75986982f40bcbf9166c938cda74671f2a4257c1af6f20eceb587e07c8c3d260730723e05365d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8ceebe0adc3f54c442e69072da903a00

    SHA1

    4cb43c3309070b6634e924fe4108ce9478c0c09a

    SHA256

    0c2cfad01c9bd3f5eefa460efb75bcf9798413b44892048c0d42928e92d4c73f

    SHA512

    081ce9f0a55cfcfa7a892707d00206073de67e8d064cc2839331d3bcc6a4e2e6a39c189b8eec726c8e560c73aa224eda1c45caf78ef2018f1b77da1593411c8f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    cd079c6c235fad3774c367e9fcc4054f

    SHA1

    f4b554803556cabde1f307fbcd331c7021021bc2

    SHA256

    b4025197176b3598563655844ed4f8b25dd9343db3957e8160814f70a1b83df0

    SHA512

    c4170f52216b280454b60beb983885589b125bb3f099f977d7dca8ff05d03655b9d00924ce3c4755454ae00d7c5b427b439ab154f837e3d3775703a96c9fe072

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    191295de2ce48da1412665c85fa1076d

    SHA1

    b78b7afb25bcc7ccbdc0b03215e3a11dd9149573

    SHA256

    73e9a9761f039991d9b4f4db71e39dce68b4f92cfe4d97df7d5857aa7c368c56

    SHA512

    b9ba4630bcdbcfda8c82676a2fa4f9c1acd5e06c96dff668f82c928ec352fbff9781906feb63480f15246efcd828794fd6c3435a7b58756776c58014d07f49a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7CB2.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7D55.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe
    Filesize

    484KB

    MD5

    eb9c1e590efe43a4e30b614657e68fd0

    SHA1

    c503a0e0fcee9a1461587830b8d114d33fdd0287

    SHA256

    32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82

    SHA512

    a726311927ec6be8783b357ffc8e9833c4bc7f31f2d47a05bed71ce59a09985e1a4dc39bd87e4979e0814ac0aea7e22cbcdcb720d05995e74b1e69deb8a21488

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe:ZONE.identifier
    Filesize

    28B

    MD5

    90fd34c6bd120fb6d41d18161a05296b

    SHA1

    346e55ea4c486d9f4ac7e65793c34fc18e5a28b1

    SHA256

    53c9dbb7d60a9fd6c12d2580557472f0132cc26c055e2e841b455be1b8713695

    SHA512

    74a0d8a648267a6c2a31cecd076a3d30d59951ca3e00b8e2e0a935a709cd105c6a8da2da6988f4c3bbef13aea3ad9a805547e8373e57a471d1f794db4ca4709e

    Download Submit

  • memory/484-82-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/484-76-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/484-75-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/484-73-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1196-64-0x0000000000500000-0x0000000000540000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1196-63-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1196-434-0x0000000000500000-0x0000000000540000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1196-433-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1196-66-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1684-288-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1684-287-0x00000000006F0000-0x0000000000730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1684-44-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1684-51-0x00000000006F0000-0x0000000000730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1684-50-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1684-72-0x00000000006F0000-0x0000000000730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1684-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-38-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1684-32-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1684-35-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1684-83-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1684-30-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1684-28-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1684-52-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1684-46-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2044-3-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2044-4-0x0000000001F50000-0x0000000001F90000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2044-1-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2044-19-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2044-2-0x0000000001F50000-0x0000000001F90000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2044-0-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2348-24-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2348-20-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2348-23-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2348-22-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2348-65-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2348-21-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2524-429-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2524-431-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2524-435-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2524-572-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download