Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 16:23
Static task
static1
Behavioral task
behavioral1
Sample
2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe
-
Size
827KB
-
MD5
2ad3b43bab543feeaf885a8437f57260
-
SHA1
e819b840779103e5ba1eb5daa0085f005db2b24c
-
SHA256
48c0a41a1c195645583c2b0fbf22708fd945078e2628637f7dfb691dfba5893e
-
SHA512
95773dd8f148ec70f13f666507cce8e8452e3c73198e67bdafa6207f941448239265f1e3a23017af2760e78f19000e66f802f852ef456c9fe04686354169f274
-
SSDEEP
24576:xHS8ojy3NlFk2eNne0POIebvBNOzEB9D/0huu:xHrojy9l3we0P0N0IDcIu
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/4516-27-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral2/memory/2688-25-0x0000000005630000-0x00000000056C0000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4524-43-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4524-42-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4524-41-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1208-33-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1208-32-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1208-39-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/1208-33-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1208-32-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1208-39-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4524-43-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4524-42-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4524-41-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iRDgQZ.url 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2688 set thread context of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 4516 set thread context of 1208 4516 RegAsm.exe 100 PID 4516 set thread context of 4524 4516 RegAsm.exe 101 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 1208 vbc.exe 4516 RegAsm.exe 4516 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe Token: SeDebugPrivilege 4516 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4516 RegAsm.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2688 wrote to memory of 3472 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 85 PID 2688 wrote to memory of 3472 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 85 PID 2688 wrote to memory of 3472 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 85 PID 3472 wrote to memory of 5804 3472 csc.exe 88 PID 3472 wrote to memory of 5804 3472 csc.exe 88 PID 3472 wrote to memory of 5804 3472 csc.exe 88 PID 2688 wrote to memory of 4388 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 89 PID 2688 wrote to memory of 4388 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 89 PID 2688 wrote to memory of 4388 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 89 PID 2688 wrote to memory of 4760 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 91 PID 2688 wrote to memory of 4760 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 91 PID 2688 wrote to memory of 4760 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 91 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 2688 wrote to memory of 4516 2688 2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe 93 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 1208 4516 RegAsm.exe 100 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101 PID 4516 wrote to memory of 4524 4516 RegAsm.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ad3b43bab543feeaf885a8437f57260_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duqvcrf1\duqvcrf1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40F1.tmp" "c:\Users\Admin\AppData\Local\Temp\duqvcrf1\CSCAC69F4103B394442A32B4A0AF23974.TMP"3⤵PID:5804
-
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query2⤵PID:4388
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /sc MINUTE /tn iRDgQZ /MO 1 /tr "C:\Users\Admin\AppData\Roaming\mediac\mediac.exe\2⤵
- Creates scheduled task(s)
PID:4760
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6B3D.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6F55.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:4524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54f5b92bf51874e933a86fb5c98b74e33
SHA1b5b37e049a13e15fb0fdc8371a8f30fd1e4a0306
SHA2563c7f221ea525421a492810d5411b79dfb6a838eeb64148d1eeed5b3d49988f11
SHA51205104ee996a386dddeafe41aa2f575da237452c3c1e0d0fcc271cccf0938f19603efac353497b482577f3620d5b6e2a58ec2329e3c649e5d0fd9ca8997b3072f
-
Filesize
7KB
MD54dd12f2e4c4483f218cd566e8ac36a33
SHA1608a8fa39ff2c167f69aec885414f0adc0354321
SHA256a7b9e68d199fb143ced6dde3d93b91b19d1a71dc0785d3611ebe2531047acef2
SHA512fdff75694578aa08951526546060c4df87bc896b73d733f8e7710dbd761e5542a652c0e9d1f657183ea8808cfcf81cc67d12bfd44d430245154c7c987f200af6
-
Filesize
19KB
MD5c848371bfc7813b69f5982900ee3fb1d
SHA12232cfee7675ecf43be6d0a5452f78acecb19149
SHA256d5d8aae068fcb281ae92b8f9ce383ad6486e81f0e289ca82c48999d9b73eb457
SHA512ed2843012accc3d6d52d0db05bff956980646bbe399c8f9edba9b1231f45a0591cdb1d4064ca37f256c4c0bfe768fcec1abf5e0a268cb3f4f1905641123438de
-
Filesize
4KB
MD50c71400795defb1ddf2816dcb2440470
SHA1a9f25ddc014a44b58a890ac42ea47d98a3f754a3
SHA256eef6222f63aae44aec7addd2cdf1d348af92b32e0be1d4c857c48d9a941d9dac
SHA5124d5fd766afe850d8282b85ca0ff3ef36e225e754254f43e1e3e0147675d40f901096199e666310e7f70b6cfbe9f33f3dbe4a063fbd4df7267190bad5121efabf
-
Filesize
1KB
MD5d1cacd854ee7d51d813bf2c085256875
SHA1e5408dca7ae430e2231f32379f5efe9a9ef56009
SHA25648b226d9c13505daf8f9f89ab5749949ee263be7188ef17176db4bc85e39a4af
SHA512367a827278c555837c078b295d19961a32ed09be1ebdaf40627768ab500ca5e84f884700d5ce8c64b1ca48b995a3049dc958549375a699282738f11fa97532db
-
Filesize
4KB
MD5a04a63817eb03e5e7bad5a6a3d4209dc
SHA11fc0258571ca78dbfa7aafe96195c27236319cfe
SHA256365e777df680a31c2d643ae25b623081dec6e523e70608cc28e86516e2bff634
SHA51213b83170e5a7816b1327623907bb5a244ff0159b23a3130c35d6a278e74be8366aa27a09e20abfaceb92c3d88f6568ecae9795d49d396c13c6c1a57770f4d33b
-
Filesize
312B
MD5e6606fd70329e47baf46aa6bcaeba72c
SHA195eeb883e936c0fd9ae43392452aa2fa00238fa9
SHA2562cf3b47e84c4afb57946e5401068516c5dbb18dfabc0f0c324077c13753c61cb
SHA5128d5ff65f78e74d1e77aca9abff04ebe8663dae4ef3fa7b3ec285f1da71f0c9de4fc7c9c292373013504ba956079d36283a679b74955c6d46705bbdacd588389e