Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
-
Size
937KB
-
MD5
1364992369a3d4b3b9fde7bd25887335
-
SHA1
74d4425da265cca1b665daee821cced920289a16
-
SHA256
39da82aec5faf855d0e6c320cf9381f5f01f08dd4eb149790a07d71ea5f9fa95
-
SHA512
8d92a3fd67e19e6bbc9d529cd07999a4deecb761bf5c7aa1fc8af64e4e526a22fe549d07bdef4590ced3f5350c4de514857306848b6ab955de1399e16eeed782
-
SSDEEP
12288:36o/xuDT9T8aP8dSfWy8i/bvKziF7j2w2BTwR6ry9msEUOOgGwbP8u7:k3QXy8i/bvkTHry9m/UOOgGcV
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2220-24-0x0000000004530000-0x00000000045C0000-memory.dmp m00nd3v_logger behavioral1/memory/2732-35-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2732-39-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2732-37-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2732-31-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2732-30-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.url 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2220 set thread context of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2916 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 28 PID 2220 wrote to memory of 2916 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 28 PID 2220 wrote to memory of 2916 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 28 PID 2220 wrote to memory of 2916 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2596 2916 csc.exe 30 PID 2916 wrote to memory of 2596 2916 csc.exe 30 PID 2916 wrote to memory of 2596 2916 csc.exe 30 PID 2916 wrote to memory of 2596 2916 csc.exe 30 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2732 2220 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uraoximp\uraoximp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC.tmp" "c:\Users\Admin\AppData\Local\Temp\uraoximp\CSC1435D4C9C0E14FCAA6A27E597E8F1EE6.TMP"3⤵PID:2596
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2732
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e0052cda37abce96011a412b5951eb0f
SHA186045cfd5450182b3a56a39ca197521d63f1d95f
SHA256db772b6370f40d05e402df4d4070ae6d55e183230b1e0eb3db5aeacf9af575ec
SHA51244caaaaa6f23aa4eee087a167e1f356e6c7fc5daa910a9b7e1c9a1305048d97ec5348041749ca19c73f99f4000c5211cd20152b711d89a08dfd3cb5b55b84a3b
-
Filesize
8KB
MD56420f79a26a8c589ea8d568a206b7e0e
SHA1edaaad75d87a3c98a26333a2de84be25c4c0a38b
SHA256a8f6fb21606857c4bd9282a99f10411384f11866716c724b51059315215e5402
SHA512341d409613ea86c5c614b7e5823256828b7ab7cd598df2a34e7037364bc122723ba170f54e56893bba55c90d815cfd38b1546bb7c46be4a5312053d1be9db3ed
-
Filesize
23KB
MD5e29b5e64ef37151a673b0ff4dc8a5972
SHA111c551cb3e6886a233a5dbb202790c246504af64
SHA256ec4d72e14b8d894fc028739a8ca07eb9d0cc34f9a80bb2ad5c3fbbd0ebd3298a
SHA512f318796974912461944062147d5a2d1d30fdfd8d51346e7cc76bbdc080b55f60c5345a02b788fde6736cd50d5014d4b30d0d2651b0f1cc53193388e573ece76c
-
Filesize
1KB
MD50bdff6d82baf77819941dab23eb20e76
SHA1985e219666a5e4eaacdeb82a7f9f4f822b85bf8d
SHA256c89a327d9f66d537a005e6fdccf48568c9ed7f6791d6c24f948983533c9e00bc
SHA5129d66db784f90430bfd43a701b24fb0e43bc10bc200f7da3b8ea0acf4da7b837c82b2ba45201da42800d20d148fb85342fee92832d1522a4f99768b61a77b614d
-
Filesize
10KB
MD5f8936db8cda421561333bbd6b6dfc4fc
SHA18fc5c4503609360f480c6f5982e59cd3d7ac1ce2
SHA25657150d9e80b21e69e7f5b2053a3f429a53983d1ae0510824e9d74fb06cadaec5
SHA512b9049c70936817a3567286540c2f52d5c21f4f7bff4a3f2475e5a42e86cd448657b100483256f8d40344eb8f4b5351ea12529dea1faf51dde529f613deb98406
-
Filesize
312B
MD50d0bff6a0a307e9e9b44ad0963724b31
SHA1992f419f6a40d935e9fe4e482d05d07c1ccaaa50
SHA256dbff337e485e5c0dfcc650d666a0e7d4b5e52110553d13784cdea6a07bb5e544
SHA512e6ccabadaf45c85e72bf272384a28de7a4c530d5f8a8af426ea27cb1625f584f42f98f32bfea352cd3d8fdb7a74ad57a9d1c91067e24de71d5d6dedd2fc54dd0