Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 13:15
Static task
static1
Behavioral task
behavioral1
Sample
3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe
-
Size
781KB
-
MD5
3a4b5669a9bf7c169b932ddbff33b59d
-
SHA1
2fa1301131d575ab034495a743df5e58b4aea00c
-
SHA256
750a251b2cb599537856bfd91bb2249407dca68f0f77b4d8d5f6fa6950630000
-
SHA512
506d252430c5c4424caae0215e01c662c9c12f682333f407477beb21cbcf2d009811e4edab011d8a3aeb1331ee317858a0d3d51baa055fec49a4e619ea95ade1
-
SSDEEP
12288:D9bqQOGV1JbIL9YZ0k8vOkkP3qgV/l6TbKA4BRAiPrcG3bSw8:Jqtos9Yuk8vyPMqLCiPwA+w8
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/1560-22-0x0000000005270000-0x0000000005300000-memory.dmp m00nd3v_logger behavioral1/memory/2592-29-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2592-27-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2592-37-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2592-35-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2592-33-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2592-39-0x00000000009B0000-0x0000000000A26000-memory.dmp MailPassView behavioral1/memory/2716-69-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/2716-70-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/2716-72-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2592-39-0x00000000009B0000-0x0000000000A26000-memory.dmp WebBrowserPassView behavioral1/memory/2904-52-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2904-53-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2904-56-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral1/memory/2592-39-0x00000000009B0000-0x0000000000A26000-memory.dmp Nirsoft behavioral1/memory/2904-52-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2904-53-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2904-56-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2716-69-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/2716-70-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/2716-72-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1560 set thread context of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 2592 set thread context of 2904 2592 RegAsm.exe 33 PID 2592 set thread context of 2716 2592 RegAsm.exe 36 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 2904 vbc.exe 2904 vbc.exe 2904 vbc.exe 2904 vbc.exe 2904 vbc.exe 2592 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe Token: SeDebugPrivilege 2592 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2592 RegAsm.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1560 wrote to memory of 2956 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 28 PID 1560 wrote to memory of 2956 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 28 PID 1560 wrote to memory of 2956 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 28 PID 1560 wrote to memory of 2956 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 28 PID 2956 wrote to memory of 2616 2956 csc.exe 30 PID 2956 wrote to memory of 2616 2956 csc.exe 30 PID 2956 wrote to memory of 2616 2956 csc.exe 30 PID 2956 wrote to memory of 2616 2956 csc.exe 30 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 1560 wrote to memory of 2592 1560 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2904 2592 RegAsm.exe 33 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36 PID 2592 wrote to memory of 2716 2592 RegAsm.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\za55srua\za55srua.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B00.tmp" "c:\Users\Admin\AppData\Local\Temp\za55srua\CSCABA342C3ACE4FF0AB548B7E7C6D69B.TMP"3⤵PID:2616
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4615.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp37C4.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58c808f1b73d505b38f103386db0acad6
SHA11dee7d8f3ae0a322161487e901369290992ed319
SHA256623c16df1cfff9fdb3c111b9222fe10e15a0f24fa3ddd2f49ed77acbc0906ffa
SHA512758f5a00e7087dc8258aecbcae9f8aff8a56e141e0d8f21ff717ea91cf49a195436555e7db17e34f8a6677d9613856c4437fa0239ebe435b2d0982dcefb74768
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
9KB
MD590e0aa7f889984eba4a1a58c53449db7
SHA1c83e1ae825b88d782c46cf257cc77f61df1691d4
SHA25697ec8b3b86994c8b0e13bff90eaff717ce3dc419a26bcad74d5de4f91f0ab309
SHA5121774b85987273b58906740dc7cb582d11cb5cf06f75d4add10a144aeae3606940579c2e2f25c8b99faf5eaf0e63f9b6dfff0a23db3b5b70bf2e79555bac1a38c
-
Filesize
25KB
MD5b2f4d7181cee611ac8f2c2731ad2a799
SHA105d9b1aa6e2e18f66e36bd6dc6292d367ec8b831
SHA2565d08a401df3b34df63bdb65d52ed26a5f6b39853dd4d4115f7e8a0b24e4da7b7
SHA5122a9b76109a9ac72486314348cadf3ca56ce191fbc19cd6e0ad391376ce5155fddcb2abd72a4102f354295a2b6bbfcd565be3a871bd1dc6fd5548d2c73785dc8d
-
Filesize
1KB
MD52c7008cf3f6443f233ced6be962afe33
SHA137e91c15315700618a160ec94d638700b8880058
SHA256ac6cb14697bf4c09f1b26ab286ba96416369d8b5490a048c789b580a96b8ff4f
SHA512893dd17c44dfb1eccb134c37228b52b778304c8d5f647c99fccf09fede8cfec4ae4749f392b6a4c879ace0ca56de39ea650470a9ea3aeb0b25d4a56aefacfa30
-
Filesize
10KB
MD57b31d5e87e173b0f14e5b7ee68289ca5
SHA13e4a8d348fa7db44b246441dc2fe577c637fc9e0
SHA2560fb64694a4171bdb2afaf7a25ebdc3b24a394a580d9c4d86057262bb3997a4ac
SHA5120b352cc4eee1c9e386ac0cc688b42c95d5955a82a5cd2801516b9bc68f88aaebd5a1b0733cc38fd7a363e8104ce6c757c5c4354f81e4e9226462a058c7881895
-
Filesize
312B
MD58b7d0864157c66df19c31cff4c4c3f8d
SHA1b26dffaba2a3ef5345f5ee5c9db67a3703f89c43
SHA256dfd5bf9ad3d694d44a22ca3c956eac12ae5d75f4ac11e68fa979aacf58055d35
SHA51224e6be2c695bed0b6250bea890d692b58317c5d4845ccb38144ee2bb3a9bc28219e3d4c3f7cd80c9c20920bb464268ce2c370048b20cd1849d3308088488c056