Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 05:08
Static task
static1
Behavioral task
behavioral1
Sample
2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe
-
Size
779KB
-
MD5
2354acc2e08040fdb4e398ea40062da9
-
SHA1
8a525b3b5548ed9307c9d6386ee279670f876217
-
SHA256
c17aec1f84a9e118f4ad17718876fc631d6338029f2b671a2c10d9dab9ffd57e
-
SHA512
de34ef2dcb88954d6e89d35155ec88abb77f6ea45c2da4484da444199a7d408aaa7af6b680609472f1dbdabcd1ed2aeaf35a27c297889a1cd40ebf56598218ae
-
SSDEEP
24576:7qRL+nFbsPPfNvSbPWCPYMT76af4RWkF2btD4:7qb9v2uCvxeC
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/640-5-0x0000000005710000-0x0000000005732000-memory.dmp family_zgrat_v1 -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/3828-15-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3828-19-0x0000000005660000-0x00000000056D6000-memory.dmp MailPassView behavioral2/memory/4232-31-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4232-32-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4232-34-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3828-19-0x0000000005660000-0x00000000056D6000-memory.dmp WebBrowserPassView behavioral2/memory/1756-22-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1756-23-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1756-29-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/3828-19-0x0000000005660000-0x00000000056D6000-memory.dmp Nirsoft behavioral2/memory/1756-22-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1756-23-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1756-29-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4232-31-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4232-32-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4232-34-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4912 AdobeAcrobat18.exe 3828 AdobeAcrobat18.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat 18 = "C:\\Users\\Admin\\AppData\\Local\\AdobeAcrobat18.exe -boot" AdobeAcrobat18.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4912 set thread context of 3828 4912 AdobeAcrobat18.exe 105 PID 3828 set thread context of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 set thread context of 4232 3828 AdobeAcrobat18.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 3828 AdobeAcrobat18.exe 3828 AdobeAcrobat18.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 640 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe Token: SeDebugPrivilege 4912 AdobeAcrobat18.exe Token: SeDebugPrivilege 3828 AdobeAcrobat18.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3828 AdobeAcrobat18.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 640 wrote to memory of 4936 640 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe 97 PID 640 wrote to memory of 4936 640 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe 97 PID 640 wrote to memory of 4936 640 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe 97 PID 640 wrote to memory of 1616 640 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe 99 PID 640 wrote to memory of 1616 640 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe 99 PID 640 wrote to memory of 1616 640 2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe 99 PID 3524 wrote to memory of 4912 3524 explorer.exe 101 PID 3524 wrote to memory of 4912 3524 explorer.exe 101 PID 3524 wrote to memory of 4912 3524 explorer.exe 101 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 4912 wrote to memory of 3828 4912 AdobeAcrobat18.exe 105 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 1756 3828 AdobeAcrobat18.exe 106 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107 PID 3828 wrote to memory of 4232 3828 AdobeAcrobat18.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\2354acc2e08040fdb4e398ea40062da9_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"2⤵PID:4936
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"2⤵PID:1616
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFE84.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp28C.tmp"4⤵
- Accesses Microsoft Outlook accounts
PID:4232
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
779KB
MD52354acc2e08040fdb4e398ea40062da9
SHA18a525b3b5548ed9307c9d6386ee279670f876217
SHA256c17aec1f84a9e118f4ad17718876fc631d6338029f2b671a2c10d9dab9ffd57e
SHA512de34ef2dcb88954d6e89d35155ec88abb77f6ea45c2da4484da444199a7d408aaa7af6b680609472f1dbdabcd1ed2aeaf35a27c297889a1cd40ebf56598218ae
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
4KB
MD5e255c36d21183acb0a1a38b1344443f0
SHA19fd09dd85a76f8211e9ba81929a1f10d3c499917
SHA25600459ae0cad2abd0641bc5e9fb35d08bccec2d498173adc35810ae820eb55b47
SHA5120e1319f62957c7b3bf1d6573bf24a0bb1cbaf8a0665de6584483885f8c340545cacf36800436892073979a02f3739526569b8c01f862ca9a4b3940c31ad51d4a