Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 13:15
Static task
static1
Behavioral task
behavioral1
Sample
3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe
-
Size
781KB
-
MD5
3a4b5669a9bf7c169b932ddbff33b59d
-
SHA1
2fa1301131d575ab034495a743df5e58b4aea00c
-
SHA256
750a251b2cb599537856bfd91bb2249407dca68f0f77b4d8d5f6fa6950630000
-
SHA512
506d252430c5c4424caae0215e01c662c9c12f682333f407477beb21cbcf2d009811e4edab011d8a3aeb1331ee317858a0d3d51baa055fec49a4e619ea95ade1
-
SSDEEP
12288:D9bqQOGV1JbIL9YZ0k8vOkkP3qgV/l6TbKA4BRAiPrcG3bSw8:Jqtos9Yuk8vyPMqLCiPwA+w8
Malware Config
Extracted
Protocol: smtp- Host:
SMTP.zoho.com - Port:
587 - Username:
[email protected] - Password:
Tunde1992$$
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/5104-23-0x00000000054B0000-0x0000000005540000-memory.dmp m00nd3v_logger behavioral2/memory/4104-25-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4104-29-0x00000000072C0000-0x0000000007336000-memory.dmp MailPassView behavioral2/memory/632-47-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/632-46-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/632-49-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4104-29-0x00000000072C0000-0x0000000007336000-memory.dmp WebBrowserPassView behavioral2/memory/1824-34-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1824-36-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1824-37-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1824-44-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/4104-29-0x00000000072C0000-0x0000000007336000-memory.dmp Nirsoft behavioral2/memory/1824-34-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1824-36-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1824-37-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1824-44-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/632-47-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/632-46-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/632-49-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5104 set thread context of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 4104 set thread context of 1824 4104 RegAsm.exe 86 PID 4104 set thread context of 632 4104 RegAsm.exe 87 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 1824 vbc.exe 4104 RegAsm.exe 4104 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe Token: SeDebugPrivilege 4104 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4104 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 5104 wrote to memory of 4740 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 81 PID 5104 wrote to memory of 4740 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 81 PID 5104 wrote to memory of 4740 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 81 PID 4740 wrote to memory of 1536 4740 csc.exe 83 PID 4740 wrote to memory of 1536 4740 csc.exe 83 PID 4740 wrote to memory of 1536 4740 csc.exe 83 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 5104 wrote to memory of 4104 5104 3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe 84 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 1824 4104 RegAsm.exe 86 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87 PID 4104 wrote to memory of 632 4104 RegAsm.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a4b5669a9bf7c169b932ddbff33b59d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ddfeca5\4ddfeca5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES562E.tmp" "c:\Users\Admin\AppData\Local\Temp\4ddfeca5\CSC6234B760391430D9042773DBB7803A.TMP"3⤵PID:1536
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp807A.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8483.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5f003fe2dcc1c686469721e0f3b49e29d
SHA14716553667eb6e7c57fa202f1000074a16ede006
SHA25604fdc7cb6a644744d695be87eb2e1519488ffab4203fe3c5cdebfd12fd93deef
SHA5128912b04bad7b8affaab53d2e4ec564207091c6bbbbd67bc4d7ae0547fccc3440c095e90e98f349f4f0bbd3488c6a6f40e7aa7d7fdd9f310793462e16236b2b7b
-
Filesize
25KB
MD569a397860a8be6a4840a5e589ad371e6
SHA10e05605eb4f9f003b88f3c78b6ecfbef013da2f6
SHA25604455a9ede9312977a678bd2411e51364349b0d8ec258422e478c35fcc35a277
SHA5120ede7e9f765e93c0f824c9a2d12fb49a12769337c044a4fb765381b7ade026777a0d1cfd035c2d751f739dd64cd088f53cbb0a82b2391d8f042d455009c639cf
-
Filesize
1KB
MD581cd228c442557d6a968846675069018
SHA141cecb49a8be28c6505f57172ebf18b06f41438c
SHA2567939317adedb83f78b0341c1917463b9761adb8115a3762259c4128852cd60c8
SHA512d55bd1c1b91049eecba9e496446ac1e6a0de707bdcdab3b122eff1cfdfa38e06d0a3e6e7567b2e2dcbf5494b846c047388d44f06dba68118073b7c88d70388a4
-
Filesize
4KB
MD58651f1ecc401fe73c45d06863467d144
SHA10150ba4649afe382ae1705552473bba7beb990f4
SHA25651827e101e890667e6d9b8aa7b804d56b53cadc110b5b8b834229788c29a65e8
SHA512c0b371d9080c0e82adae100a9400bb7bd239cfe243c072dde0f9310524b92d16a10db9117403d8af227cef9def552dba7c04da3b3bd46a88836acc071cb9890f
-
Filesize
10KB
MD57b31d5e87e173b0f14e5b7ee68289ca5
SHA13e4a8d348fa7db44b246441dc2fe577c637fc9e0
SHA2560fb64694a4171bdb2afaf7a25ebdc3b24a394a580d9c4d86057262bb3997a4ac
SHA5120b352cc4eee1c9e386ac0cc688b42c95d5955a82a5cd2801516b9bc68f88aaebd5a1b0733cc38fd7a363e8104ce6c757c5c4354f81e4e9226462a058c7881895
-
Filesize
312B
MD537fca6c77ed1891c635ee6befa7bae83
SHA1f7430eae0a039325f94161e7d974ecda0ff43f4d
SHA25646f0e6a2eaa38c0fd89c7e7772f8cb2f989d27f9aa7e06339843d8002941da4c
SHA5127c2b14bf17a9772f124de8dc69b14badf8da3a504765d3a0b94b431cdb927c6f8bf378025ac7477913b8b7fa586a18f8d661e244bc47b8bc0e9ebabbc4262805
-
Filesize
1KB
MD575a28d52d80bc7005ff65dec98f45364
SHA13b9e24279dba3dfe70dc7b30e379156734323913
SHA256bdae32cc69b06f217bb19f71992cb90152ee25620be9354d12df60c9278918cf
SHA51289c3e570d9d3eb55c3294641d0a602fb3e72fc81ba621f67f6cf9c3438662cfac6acf7bbc5a9a5ef866e175f7d6d13de28e3d6a6b9d3cfdbf68f6fabb152e02b