Overview

overview

10

Static

static

5

0def4e4fe7...18.exe

windows7-x64

10

0def4e4fe7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0def4e4fe77fc4499d9ade8db0f9c82a_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    0def4e4fe77fc4499d9ade8db0f9c82a

  • SHA1

    29e2459ce9aa0767b84e9efe70913559d606d5d1

  • SHA256

    ee9a1d78f2e0d7d33d7ca9cdffcdc8bc55cff875ec1d3a969803b373c502824b

  • SHA512

    87ec521cd5f94eb10cf7283be15a3c0bff285ad5b870643e81dac3fdd2fea3b3d078d2619dbee906c235a892f47522cfed220bbfe953ef1aa31b297b2853902e

  • SSDEEP

    24576:pu6Jx3O0c+JY5UZ+XC0kGso/WafjjCAMPfh5Km4jLE741cDA9JQAyAWMg4SCdOfP:LI0c++OCvkGsUWafdY

Score
10/10
hawkeye_rebornkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

  • Protocol:     smtp
  • Host:
    mail.ancopottary.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    niconpay$
Mutex

c5a6e58d-97f5-486b-ab80-4e435504662a

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:true _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:niconpay$ _EmailPort:587 _EmailSSL:true _EmailServer:mail.ancopottary.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:c5a6e58d-97f5-486b-ab80-4e435504662a _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0def4e4fe77fc4499d9ade8db0f9c82a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0def4e4fe77fc4499d9ade8db0f9c82a_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:3924
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:4036
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:4408
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:4328
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:2040
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:3748
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:4604
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:3604
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:4384
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
        PID:1556
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
        Filesize

        680B

        MD5

        8faf48455ffc017246b08e89f6ba1956

        SHA1

        2f6c39d9828b3f95dc050f52a38cd7d3f543baf8

        SHA256

        9a643ce75fdfe840ea158010f28f8520bea2a60220494b44a25039a2a318fc35

        SHA512

        dafd4f1bf894ef1c61ff65dbcb8d5a151b33d8e39f3e354e6e433c8c7c0e8c2105615bffde8d796e361b77ccbe917a70ca4d03cc8cb6396f0495ff9e5b7010a9

        Download Submit

      • memory/2040-36-0x0000000000600000-0x0000000000690000-memory.dmp

        Filesize

        576KB

        Download

      • memory/3748-41-0x0000000000540000-0x00000000005D0000-memory.dmp

        Filesize

        576KB

        Download

      • memory/3844-3-0x0000000004730000-0x00000000047BB000-memory.dmp

        Filesize

        556KB

        Download

      • memory/3844-4-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3924-11-0x0000000074200000-0x00000000747B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3924-15-0x0000000074200000-0x00000000747B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3924-12-0x0000000074200000-0x00000000747B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3924-10-0x0000000074202000-0x0000000074203000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3924-6-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4036-22-0x0000000074202000-0x0000000074203000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4036-23-0x0000000074200000-0x00000000747B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4036-24-0x0000000074200000-0x00000000747B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4036-25-0x0000000074200000-0x00000000747B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4328-31-0x0000000000340000-0x00000000003D0000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4604-47-0x0000000000580000-0x0000000000610000-memory.dmp

        Filesize

        576KB

        Download