Overview

overview

10

Static

static

3

ff59b59d6f...18.exe

windows10-1703-x64

Analysis

  • max time kernel
    33s
  • max time network
    34s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-04-2024 23:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    ff59b59d6fb138bd3a588d89ea0fa1d7

  • SHA1

    fad22ded5983e8d5a9bffa398c3281670e496f46

  • SHA256

    8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f

  • SHA512

    7c3017e263d812bac1ad57bf4ed4371fe7414cbde8af077e507811a9ce538d1fdbbb5d396f355792dae67cdf9c25e3b0128a036816d74a48ad68c62e5109054e

  • SSDEEP

    24576:x6qt46zuDJ+ssHguZbtg2aLJ5eKSKmR9Fmt5J2NY9/:xZqARsV5VmFmzJ2M/

Score
10/10
hawkeyeagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.merchantexint.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    merW&13@

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4192
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4512
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3af3855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit

  • memory/2780-8-0x0000000006850000-0x0000000006878000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2780-9-0x00000000068F0000-0x0000000006956000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2780-4-0x0000000005400000-0x0000000005750000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2780-5-0x00000000057F0000-0x000000000588C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2780-6-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-7-0x0000000005FB0000-0x0000000005FC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2780-21-0x0000000073140000-0x000000007382E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-3-0x00000000052D0000-0x0000000005362000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2780-10-0x00000000068B0000-0x00000000068D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2780-11-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-13-0x0000000007640000-0x0000000007654000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2780-14-0x0000000009C60000-0x0000000009C66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2780-2-0x0000000005900000-0x0000000005DFE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2780-1-0x0000000073140000-0x000000007382E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-0-0x0000000000920000-0x0000000000A6A000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4192-31-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4192-34-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4192-28-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4192-30-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4512-43-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4512-36-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4512-35-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4728-27-0x00000000081E0000-0x00000000081E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4728-20-0x0000000073140000-0x000000007382E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4728-22-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4728-23-0x0000000005600000-0x000000000560A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4728-16-0x0000000000400000-0x0000000000488000-memory.dmp

    Filesize

    544KB

    Download

  • memory/4728-24-0x0000000005910000-0x0000000005966000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4728-44-0x0000000073140000-0x000000007382E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4728-45-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4728-46-0x0000000073140000-0x000000007382E000-memory.dmp

    Filesize

    6.9MB

    Download