hawkeye | 97b1a0a2a2f05f22c3f9ac4152e34ad4d629c577ea9425020d5f8ce204d583d0

General

Target

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Size

644KB
MD5

28fbf26d76059fb5f277eaae5b7f894b
SHA1

8bf8f4ccadd44da372359a31598856e187dc5b1f
SHA256

97b1a0a2a2f05f22c3f9ac4152e34ad4d629c577ea9425020d5f8ce204d583d0
SHA512

2db87c5f04edbfee71575ca045dd96e694e75b0c84a7400e01ba429af44987052d7b7b694bdbc5ef808b917d1f39d6ab6f521b40d895e3c1d8da938450800660
SSDEEP

12288:q0wKEpZHDQi7vhMgWMzU9l9fDWmSsLbpnHrM8DoiQQWpH3UMQ9fp6zgJGE0:1Ejki75MTSCaaLbpnQ/zpU9ozMa

Score

10^/10

hawkeye collection keylogger spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
secure.emailsrvr.com
Port:
587
Username:
[email protected]
Password:
Wako2j22#

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4860-9-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/916-76-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/916-78-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/916-81-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4860-9-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/624-83-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/624-85-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/624-87-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/624-95-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4860-9-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/916-76-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/916-78-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/916-81-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/624-83-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/624-85-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/624-87-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/624-95-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp4819.tmp	acprotect

Loads dropped DLL 1 IoCs

Processes:

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

pid process

4860 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

pid	process
4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp4819.tmp	upx
behavioral2/memory/4860-70-0x0000000072E30000-0x0000000072E5E000-memory.dmp	upx
behavioral2/memory/4860-82-0x0000000072E30000-0x0000000072E5E000-memory.dmp	upx
behavioral2/memory/4860-97-0x0000000072E30000-0x0000000072E5E000-memory.dmp	upx
behavioral2/memory/4860-105-0x0000000072E30000-0x0000000072E5E000-memory.dmp	upx
behavioral2/memory/4860-110-0x0000000072E30000-0x0000000072E5E000-memory.dmp	upx
behavioral2/memory/4860-111-0x0000000072E30000-0x0000000072E5E000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 whatismyipaddress.com
14 whatismyipaddress.com

flow	ioc
16	whatismyipaddress.com
14	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

description	pid	process	target process
PID 3184 set thread context of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 4860 set thread context of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 set thread context of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exevbc.exe28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

pid process

3184 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
624 vbc.exe
624 vbc.exe
4860 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

pid	process
3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
624	vbc.exe
624	vbc.exe
4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Token: SeDebugPrivilege	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

pid process

4860 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

pid	process
4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe

description	pid	process	target process
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 3184 wrote to memory of 2756	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	sysmon.exe
PID 3184 wrote to memory of 784	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	fontdrvhost.exe
PID 3184 wrote to memory of 1176	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1764	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1368	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 5024	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1756	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1160	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 3124	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1348	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 952	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1148	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1344	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	OfficeClickToRun.exe
PID 3184 wrote to memory of 3500	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	Explorer.EXE
PID 3184 wrote to memory of 1132	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 2116	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 2508	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1716	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 1320	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 2500	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 2696	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	svchost.exe
PID 3184 wrote to memory of 4860	3184	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 916	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe
PID 4860 wrote to memory of 624	4860	28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe	vbc.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2696

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5024

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\432fggqdd.txt
Filesize
4B

MD5
f0bf4a2da952528910047c31b6c2e951

SHA1
ffcfe351b0fdac5d8f8d204046564d1070bb80a3

SHA256
cea90c1d2627a9e02bf853214a48a1248ed861512124d2333e9193deaa088f65

SHA512
6798038129c1a5453fc4e766077a7a32c40246d359a687ce1283b479ce9d2074e792330d735dda5925cedf3cd6f8ee189b9827b5096c4fbf59116af277bd7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fggqdd.txt
Filesize
84B

MD5
ffde9988c78c77f01503787cb84611a3

SHA1
a945ba914b21ba99f3ddd8bfa13bdc2599ac7e6a

SHA256
9ab16cacc9cfc0ac83653c4a16beeb25ceaa63b01d6ad3f389e7aac917848a5c

SHA512
38536e7f0f74f4159176eefd053b44dddc7eef75cd6ff5d6563bc3a02bc5298c1c66719ceed94ed149fb7141ab68d8131accf13c0fd6f101d3e5b83bb90f32c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4819.tmp
Filesize
66KB

MD5
aaa698721f488b181bc0f0afc5da126a

SHA1
76536a73f16ffd643ea24f8725cebfff9d49852f

SHA256
e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647

SHA512
67d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d

Download Submit
memory/624-95-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/624-87-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/624-85-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/624-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/916-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/916-79-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/916-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/916-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3184-1-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/3184-72-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/3184-2-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/3184-0-0x0000000075412000-0x0000000075413000-memory.dmp

Filesize
4KB

Download
memory/4860-63-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-70-0x0000000072E30000-0x0000000072E5E000-memory.dmp

Filesize
184KB

Download
memory/4860-65-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-69-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-9-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4860-86-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-75-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-82-0x0000000072E30000-0x0000000072E5E000-memory.dmp

Filesize
184KB

Download
memory/4860-96-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-97-0x0000000072E30000-0x0000000072E5E000-memory.dmp

Filesize
184KB

Download
memory/4860-99-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-105-0x0000000072E30000-0x0000000072E5E000-memory.dmp

Filesize
184KB

Download
memory/4860-110-0x0000000072E30000-0x0000000072E5E000-memory.dmp

Filesize
184KB

Download
memory/4860-111-0x0000000072E30000-0x0000000072E5E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads