Analysis

  • max time kernel
    136s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 05:08

General

  • Target

    2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe

  • Size

    779KB

  • MD5

    2354acc2e08040fdb4e398ea40062da9

  • SHA1

    8a525b3b5548ed9307c9d6386ee279670f876217

  • SHA256

    c17aec1f84a9e118f4ad17718876fc631d6338029f2b671a2c10d9dab9ffd57e

  • SHA512

    de34ef2dcb88954d6e89d35155ec88abb77f6ea45c2da4484da444199a7d408aaa7af6b680609472f1dbdabcd1ed2aeaf35a27c297889a1cd40ebf56598218ae

  • SSDEEP

    24576:7qRL+nFbsPPfNvSbPWCPYMT76af4RWkF2btD4:7qb9v2uCvxeC

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • Detect ZGRat V1 1 IoCs
  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
      2⤵
        PID:4936
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
        2⤵
          PID:1616
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe
          "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe
            "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFE84.tmp"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1756
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp28C.tmp"
              4⤵
              • Accesses Microsoft Outlook accounts
              PID:4232

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe

        Filesize

        779KB

        MD5

        2354acc2e08040fdb4e398ea40062da9

        SHA1

        8a525b3b5548ed9307c9d6386ee279670f876217

        SHA256

        c17aec1f84a9e118f4ad17718876fc631d6338029f2b671a2c10d9dab9ffd57e

        SHA512

        de34ef2dcb88954d6e89d35155ec88abb77f6ea45c2da4484da444199a7d408aaa7af6b680609472f1dbdabcd1ed2aeaf35a27c297889a1cd40ebf56598218ae

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdobeAcrobat18.exe.log

        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

      • C:\Users\Admin\AppData\Local\Temp\tmpFE84.tmp

        Filesize

        4KB

        MD5

        e255c36d21183acb0a1a38b1344443f0

        SHA1

        9fd09dd85a76f8211e9ba81929a1f10d3c499917

        SHA256

        00459ae0cad2abd0641bc5e9fb35d08bccec2d498173adc35810ae820eb55b47

        SHA512

        0e1319f62957c7b3bf1d6573bf24a0bb1cbaf8a0665de6584483885f8c340545cacf36800436892073979a02f3739526569b8c01f862ca9a4b3940c31ad51d4a

      • memory/640-1-0x0000000000980000-0x0000000000A4C000-memory.dmp

        Filesize

        816KB

      • memory/640-2-0x0000000005760000-0x0000000005D04000-memory.dmp

        Filesize

        5.6MB

      • memory/640-3-0x00000000052B0000-0x0000000005342000-memory.dmp

        Filesize

        584KB

      • memory/640-4-0x00000000055A0000-0x00000000056D0000-memory.dmp

        Filesize

        1.2MB

      • memory/640-5-0x0000000005710000-0x0000000005732000-memory.dmp

        Filesize

        136KB

      • memory/640-6-0x0000000074D20000-0x00000000754D0000-memory.dmp

        Filesize

        7.7MB

      • memory/640-7-0x0000000002BD0000-0x0000000002BDA000-memory.dmp

        Filesize

        40KB

      • memory/640-11-0x0000000074D20000-0x00000000754D0000-memory.dmp

        Filesize

        7.7MB

      • memory/640-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

        Filesize

        4KB

      • memory/1756-22-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

      • memory/1756-23-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

      • memory/1756-28-0x0000000000460000-0x0000000000529000-memory.dmp

        Filesize

        804KB

      • memory/1756-29-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

      • memory/3828-19-0x0000000005660000-0x00000000056D6000-memory.dmp

        Filesize

        472KB

      • memory/3828-20-0x0000000005870000-0x00000000058D6000-memory.dmp

        Filesize

        408KB

      • memory/3828-15-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

      • memory/4232-31-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/4232-32-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/4232-34-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/4912-14-0x0000000009880000-0x000000000991C000-memory.dmp

        Filesize

        624KB