Overview

overview

10

Static

static

10

2aca79fda2...18.exe

windows7-x64

10

2aca79fda2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2aca79fda2f8a1921295b09bd486de16_JaffaCakes118

  • Size

    808KB

  • Sample

    240509-tps6gsdg94

  • MD5

    2aca79fda2f8a1921295b09bd486de16

  • SHA1

    0e6bf9c82791862d69836bd14aceca46841bf53a

  • SHA256

    19c68f9e178765d9676476754db29a351eb8eebf905bb97b95e0c954520052a5

  • SHA512

    7408354fec602fac9e16b16220d657ced49c39be7a365dd10d6c77c0d955bfce9249520288ded3f454d30e7c38d00b9f615e0b2ffc4cc37ec08498ba793f515e

  • SSDEEP

    12288:D/YzK338/LgnU7wz9yl084/hAQR/8Hcmy6ZzPa8csxEU6LRHb6+js+:kz//Lg5cf4/hVR/88GZO8vOU2Hb6+s+

Score
10/10
hawkeye_rebornm00nd3v_loggerneshtainfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Targets

    • Target

      2aca79fda2f8a1921295b09bd486de16_JaffaCakes118

    • Size

      808KB

    • MD5

      2aca79fda2f8a1921295b09bd486de16

    • SHA1

      0e6bf9c82791862d69836bd14aceca46841bf53a

    • SHA256

      19c68f9e178765d9676476754db29a351eb8eebf905bb97b95e0c954520052a5

    • SHA512

      7408354fec602fac9e16b16220d657ced49c39be7a365dd10d6c77c0d955bfce9249520288ded3f454d30e7c38d00b9f615e0b2ffc4cc37ec08498ba793f515e

    • SSDEEP

      12288:D/YzK338/LgnU7wz9yl084/hAQR/8Hcmy6ZzPa8csxEU6LRHb6+js+:kz//Lg5cf4/hVR/88GZO8vOU2Hb6+s+

    Score
    10/10
    hawkeye_rebornm00nd3v_loggerneshtainfostealerkeyloggerpersistencespywarestealertrojan

    • Detect Neshta payload

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

      keyloggertrojanstealerspywarehawkeye_reborn

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

      stealerspywarem00nd3v_logger

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

      infostealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks