Analysis
-
max time kernel
133s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 14:23
Static task
static1
Behavioral task
behavioral1
Sample
3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
-
Size
881KB
-
MD5
3fe7d81139bd40361330a07f47bb99e1
-
SHA1
391bc516fe8e1feae96fb3c7c31bcccec4fa20e6
-
SHA256
4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181
-
SHA512
f22e4e2fa6be336cd26fb46f9b7d9cc656670f6c8abf5283e1cd35e718a95a53145937adc70036fc7cf850234c9090b05a190bafd9ae2ad20d9bf8441103f63e
-
SSDEEP
24576:nLCwk7wqvxM/lttDB2jLRE2x5yY5oCCea:wxMrDkLRn5t58j
Malware Config
Extracted
hawkeye_reborn
10.0.0.0
Protocol: ftp- Host:
ftp.kagabo.net - Port:
21 - Username:
[email protected] - Password:
muN5j#u{1BT!
1bc13938-5cd4-41e5-af60-e3e8be7d4823
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:5 _FTPPassword:muN5j#u{1BT! _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.kagabo.net _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1bc13938-5cd4-41e5-af60-e3e8be7d4823 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/748-56-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/748-58-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/748-59-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/748-61-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/3028-34-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView behavioral1/memory/3028-36-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView behavioral1/memory/3028-37-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView behavioral1/memory/3028-41-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral1/memory/3028-34-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral1/memory/3028-36-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral1/memory/3028-37-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral1/memory/3028-41-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral1/memory/748-56-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/748-58-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/748-59-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/748-61-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1252 set thread context of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 2152 set thread context of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 set thread context of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 3028 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1252 wrote to memory of 1164 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 28 PID 1252 wrote to memory of 1164 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 28 PID 1252 wrote to memory of 1164 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 28 PID 1252 wrote to memory of 1164 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 28 PID 1252 wrote to memory of 1384 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 29 PID 1252 wrote to memory of 1384 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 29 PID 1252 wrote to memory of 1384 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 29 PID 1252 wrote to memory of 1384 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 29 PID 1252 wrote to memory of 1904 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 30 PID 1252 wrote to memory of 1904 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 30 PID 1252 wrote to memory of 1904 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 30 PID 1252 wrote to memory of 1904 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 30 PID 1252 wrote to memory of 1740 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 31 PID 1252 wrote to memory of 1740 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 31 PID 1252 wrote to memory of 1740 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 31 PID 1252 wrote to memory of 1740 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 31 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 1252 wrote to memory of 2152 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 32 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 3028 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 34 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37 PID 2152 wrote to memory of 748 2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"{path}"2⤵PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"{path}"2⤵PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"{path}"2⤵PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"{path}"2⤵PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9CCC.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8EAA.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84