Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 07:52
Static task
static1
Behavioral task
behavioral1
Sample
23e473332d88b997592273f52100dd71_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
23e473332d88b997592273f52100dd71_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
23e473332d88b997592273f52100dd71_JaffaCakes118.exe
-
Size
1014KB
-
MD5
23e473332d88b997592273f52100dd71
-
SHA1
632af0c3d2d79ce41172195bfe99c1e2aedbc1db
-
SHA256
4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec
-
SHA512
c6538d6a169d37b685e2ccb9f1deee365946735947b16576fb915b5988b1956da32298e641c8cf2c367813786c5e29730c83397ab0bcee9e7ba82a230e45eb5c
-
SSDEEP
12288:NDIWlcxVmnXbvMH4/pdcyd163+bX4v9Y/gM1oZPkYU7pMAlcZfj7g1P:NDIIXQuz1bIVYHYRQcZG
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2616-6-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2616-8-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2616-11-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2616-15-0x0000000002130000-0x00000000021A6000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2616-15-0x0000000002130000-0x00000000021A6000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral1/memory/2616-15-0x0000000002130000-0x00000000021A6000-memory.dmp Nirsoft -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1640 set thread context of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe Token: SeDebugPrivilege 2616 23e473332d88b997592273f52100dd71_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28 PID 1640 wrote to memory of 2616 1640 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-