Analysis
-
max time kernel
140s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
-
Size
937KB
-
MD5
1364992369a3d4b3b9fde7bd25887335
-
SHA1
74d4425da265cca1b665daee821cced920289a16
-
SHA256
39da82aec5faf855d0e6c320cf9381f5f01f08dd4eb149790a07d71ea5f9fa95
-
SHA512
8d92a3fd67e19e6bbc9d529cd07999a4deecb761bf5c7aa1fc8af64e4e526a22fe549d07bdef4590ced3f5350c4de514857306848b6ab955de1399e16eeed782
-
SSDEEP
12288:36o/xuDT9T8aP8dSfWy8i/bvKziF7j2w2BTwR6ry9msEUOOgGwbP8u7:k3QXy8i/bvkTHry9m/UOOgGcV
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/744-25-0x0000000005BF0000-0x0000000005C80000-memory.dmp m00nd3v_logger behavioral2/memory/3172-27-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.url 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 744 set thread context of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 744 wrote to memory of 1656 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 86 PID 744 wrote to memory of 1656 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 86 PID 744 wrote to memory of 1656 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 86 PID 1656 wrote to memory of 3620 1656 csc.exe 90 PID 1656 wrote to memory of 3620 1656 csc.exe 90 PID 1656 wrote to memory of 3620 1656 csc.exe 90 PID 744 wrote to memory of 4624 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 92 PID 744 wrote to memory of 4624 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 92 PID 744 wrote to memory of 4624 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 92 PID 744 wrote to memory of 3396 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 93 PID 744 wrote to memory of 3396 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 93 PID 744 wrote to memory of 3396 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 93 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94 PID 744 wrote to memory of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qgyzk3fb\qgyzk3fb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4779.tmp" "c:\Users\Admin\AppData\Local\Temp\qgyzk3fb\CSCF77E605BC1A2414CA0637DA886BD0C9.TMP"3⤵PID:3620
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:4624
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:3396
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:3172
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5127362501203ad7262775871d8449229
SHA100ee38253a1bc2fe9e88a3e18eea5d6338f6aa6a
SHA2561014ee74f061aa733c2d8dd7c23e6cae4a9178d66eae74c081d6357afcad7e9d
SHA512a3a9fb063b19d528260fe3dfc84c5734d43f495b2ae7cf99cc7b5cb197ecd68fd3bbf0d951df773a414c843c9ad60478f2c4cc9ffe62a37f892dfabf41af44ec
-
Filesize
8KB
MD57f4b4a467033bfc513a76a50bfc4c02b
SHA1c42c013063ff8e0f373106d0c3d1ac9128d962ec
SHA2568d1d701136315df2ac725c38e3445722cdaefe0a50bba0c33605eeed1b63b801
SHA512274b77fecddb511ba5a7462fcf99af9415045a00b7bb199de96c9b7fabfa1fe8f1c9ae7be18c945540d94cee9bbf02f92ee19955e4f1302b487db3e6d7332590
-
Filesize
23KB
MD5adfa900b0f7238fdf289f1ab7fb3878c
SHA1155256be8c1ccafbdaee8a212a565cd7fc57ee43
SHA256b1fbb8fd61a587a5380014d69e821652ef4011bb14a17e732e9046fe0980d720
SHA512a79157bd21f4fd080a070b6ed8380cd9e8648e39c264a9999149ba12c7f0b4cb6a8bb95c16d03022c9758c438d5e8837db4c386c239f213c9d2ebfc4c0ac2a07
-
Filesize
1KB
MD57a8cb698ec30624e35b7f0383e36a07b
SHA13232146e8ef4ba248ee77082fe59c0f64744bdec
SHA2566a6033f81d44e10c3ee207e4ca4fcb3e4b666237b3180bdfd73625fce73cbe6a
SHA5124fda294338da6bbe43ab94798bd04d3c0c705ae46ca93a7c3be24e218f885a599b37299b86af03aaf6a8871bc02ff159010fbe1e38ccd84b78bd646d9914fc76
-
Filesize
10KB
MD5f8936db8cda421561333bbd6b6dfc4fc
SHA18fc5c4503609360f480c6f5982e59cd3d7ac1ce2
SHA25657150d9e80b21e69e7f5b2053a3f429a53983d1ae0510824e9d74fb06cadaec5
SHA512b9049c70936817a3567286540c2f52d5c21f4f7bff4a3f2475e5a42e86cd448657b100483256f8d40344eb8f4b5351ea12529dea1faf51dde529f613deb98406
-
Filesize
312B
MD5237d13f74da8be05b6165f1283d4b81c
SHA1144e64eb61e2bb453236842e6ed2bd9a9f1bd4d6
SHA256ceaf3392b6d9f9c25ccfb5eac432ec855ffd1b8b843827843de68dece25e6778
SHA51279860481a8ae803799227268ed09e2e793fdd3da9f7ce7e14454e559e488cbba6e542e93e644f6ec938c3136e326df540a9020478dddf06690d7f8231703941e