Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
36db1e26a1a79efc953e56ab8f4956c4
-
SHA1
09f7a2f2148b5be0c96fc43928751ebd9deee935
-
SHA256
ea927b1ad0a23078d15f4789b2e2dc4956315725538b2e52410b5b3e1f4a1b33
-
SHA512
fadd5f519c245a8bb7594c297123ec10d30ded76f8fedc90525d7eadf0a7d2db7bba9d221b8f11847abb82a59d25300965a5709ea6ed074e303812153abcb2ab
-
SSDEEP
12288:YhAI2pfi6HXuWSuACYMS0OHDYG7sYoH5trz7jhzunzYmAi1zWlY+oMk+y3NhyO6:YhjAK6HzSN/MS0tZJ66
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/4580-4-0x0000000004B10000-0x0000000004BA0000-memory.dmp m00nd3v_logger behavioral2/memory/992-6-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1424-24-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1424-26-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1424-27-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1424-29-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/5116-12-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/5116-14-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/5116-15-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/5116-22-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/5116-12-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5116-14-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5116-15-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5116-22-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1424-24-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1424-26-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1424-27-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1424-29-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "rundll32.exe" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" RegAsm.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4580 set thread context of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 992 set thread context of 5116 992 RegAsm.exe 96 PID 992 set thread context of 1424 992 RegAsm.exe 97 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe 992 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 992 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe Token: SeDebugPrivilege 992 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 992 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 4580 wrote to memory of 992 4580 36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe 83 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 5116 992 RegAsm.exe 96 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97 PID 992 wrote to memory of 1424 992 RegAsm.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36db1e26a1a79efc953e56ab8f4956c4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Sets file execution options in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6486.tmp"3⤵PID:5116
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp68AE.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:1424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a35b8711bea28d54fb7a350adceb3f76
SHA15872d7a95a74ec6de08194283027fcf2cdb96390
SHA256a90449e696cb37fa289ab8dcd0888734c74d0b61273231a0ce0e93adfd2d8137
SHA512d997e0ace25eff648f16395a4771402465b39fa059d3b0f36efbd743c691bf4308c58d5585e3aebc63c206d18d01edf46f14b0cb5cffe6f1d5bf9132d76d9210