Analysis
-
max time kernel
133s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 07:52
Static task
static1
Behavioral task
behavioral1
Sample
23e473332d88b997592273f52100dd71_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
23e473332d88b997592273f52100dd71_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
23e473332d88b997592273f52100dd71_JaffaCakes118.exe
-
Size
1014KB
-
MD5
23e473332d88b997592273f52100dd71
-
SHA1
632af0c3d2d79ce41172195bfe99c1e2aedbc1db
-
SHA256
4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec
-
SHA512
c6538d6a169d37b685e2ccb9f1deee365946735947b16576fb915b5988b1956da32298e641c8cf2c367813786c5e29730c83397ab0bcee9e7ba82a230e45eb5c
-
SSDEEP
12288:NDIWlcxVmnXbvMH4/pdcyd163+bX4v9Y/gM1oZPkYU7pMAlcZfj7g1P:NDIIXQuz1bIVYHYRQcZG
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/5028-8-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/5028-14-0x0000000005890000-0x0000000005906000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/5028-14-0x0000000005890000-0x0000000005906000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral2/memory/5028-14-0x0000000005890000-0x0000000005906000-memory.dmp Nirsoft -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4284 set thread context of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe Token: SeDebugPrivilege 5028 23e473332d88b997592273f52100dd71_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93 PID 4284 wrote to memory of 5028 4284 23e473332d88b997592273f52100dd71_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23e473332d88b997592273f52100dd71_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\23e473332d88b997592273f52100dd71_JaffaCakes118.exe.log
Filesize1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45