Overview

overview

10

Static

static

1

2b478db2af...18.exe

windows7-x64

10

2b478db2af...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe

  • Size

    753KB

  • MD5

    2b478db2af56153a2cee33f71213cc2f

  • SHA1

    bce28f5f6b310898c08413b94b4cdb2b15dce4b8

  • SHA256

    934fa3c723ef0371168b39cec66e9f23297d9cd1d6eeae9db2b602044bfdfff1

  • SHA512

    64ce4bb46478d21f225d22b8733efbf03d4e18093fe2692ed189060e46a3e3d92f77727699a9f5f09aeca9969229bc4bbac6a3f673680eac403101334517e019

  • SSDEEP

    12288:xgB3AAoSMCDXZyPheGF/oP5mjp3kn4OuLh/7/pUwp/ihyvPRr:IqTeJ+heG9jpzOohz/CwBihc

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\VDFFSHBXCTFGHDNMBGKZXDDXNVMNCCXBGBNXJNCJM" /XML "C:\Users\Admin\AppData\Local\Temp\z169"
      2⤵
      • Creates scheduled task(s)
      PID:4688
    • C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4408
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:640
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 1364
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\z169
    Filesize

    1KB

    MD5

    f34359e35c1ec733397aeb21f905976d

    SHA1

    781561d362233bd12309927cd4f03244a64fe0ec

    SHA256

    220db0c8f771ea072c8f3199dc051d198df61b8b65083703cf635d8126076615

    SHA512

    4fb9add476040bab90f2c428b1cf357e34e083960dde267513528f5871e299e3ac5d870c7402a2b1b0b81a2c2308ed1379c80909782ba1b1dbec663b43a7f8a0

    Download Submit
  • memory/640-34-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/640-27-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/640-26-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/1372-16-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1372-1-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1372-2-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1372-0-0x0000000074E72000-0x0000000074E73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3512-9-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/3512-8-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/3512-19-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3512-44-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3512-37-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3512-36-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3512-35-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3512-13-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3512-12-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3512-10-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/3512-14-0x0000000074E70000-0x0000000075421000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4408-24-0x0000000000420000-0x00000000004E9000-memory.dmp
    Filesize

    804KB

    Download
  • memory/4408-23-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4408-22-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4408-20-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download