Overview

overview

10

Static

static

1

2b478db2af...18.exe

windows7-x64

10

2b478db2af...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2b478db2af56153a2cee33f71213cc2f_JaffaCakes118

  • Size

    753KB

  • Sample

    240509-wz1pesbb39

  • MD5

    2b478db2af56153a2cee33f71213cc2f

  • SHA1

    bce28f5f6b310898c08413b94b4cdb2b15dce4b8

  • SHA256

    934fa3c723ef0371168b39cec66e9f23297d9cd1d6eeae9db2b602044bfdfff1

  • SHA512

    64ce4bb46478d21f225d22b8733efbf03d4e18093fe2692ed189060e46a3e3d92f77727699a9f5f09aeca9969229bc4bbac6a3f673680eac403101334517e019

  • SSDEEP

    12288:xgB3AAoSMCDXZyPheGF/oP5mjp3kn4OuLh/7/pUwp/ihyvPRr:IqTeJ+heG9jpzOohz/CwBihc

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      2b478db2af56153a2cee33f71213cc2f_JaffaCakes118

    • Size

      753KB

    • MD5

      2b478db2af56153a2cee33f71213cc2f

    • SHA1

      bce28f5f6b310898c08413b94b4cdb2b15dce4b8

    • SHA256

      934fa3c723ef0371168b39cec66e9f23297d9cd1d6eeae9db2b602044bfdfff1

    • SHA512

      64ce4bb46478d21f225d22b8733efbf03d4e18093fe2692ed189060e46a3e3d92f77727699a9f5f09aeca9969229bc4bbac6a3f673680eac403101334517e019

    • SSDEEP

      12288:xgB3AAoSMCDXZyPheGF/oP5mjp3kn4OuLh/7/pUwp/ihyvPRr:IqTeJ+heG9jpzOohz/CwBihc

    Score
    10/10
    hawkeyecollectionkeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks