Analysis
-
max time kernel
100s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
14-05-2024 01:07
General
-
Target
3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
3d539afa84c194e6ee2743e9a1d3d63b
-
SHA1
f34fce9ffd3fbcc0301750f57829f44648d462b7
-
SHA256
df44027aba6ccfa93994b556ec0ad139e0ed41f36510fdea9c17e378f48da80f
-
SHA512
b506340f78580708b1afed9ecc24ea228044b1e3d23d9f09fb3944ec24d99d7d630e4ab62a265fac1d4b95aaf0064d0e1087a972ce9bffda7b4f31617cdc773b
-
SSDEEP
24576:xs2iC2EShf8IZkfFnnq8G1JyqTBa1Wp8JcQmao54XBddNl7kQD2arhnch6taluTC:5zm8IiZqbA/1Wv8XBV+HluTI5L
Score
10/10
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Nirsoft 6 IoCs
-
Drops startup file 3 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Kills process with taskkill 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im2⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im2⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 364⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2160-17-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2264-13-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2264-16-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2264-14-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2460-1-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB
-
memory/2460-2-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB
-
memory/2460-0-0x0000000074AA1000-0x0000000074AA2000-memory.dmpFilesize
4KB
-
memory/2460-9-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB
-
memory/2528-5-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB
-
memory/2528-10-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB
-
memory/2700-8-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2700-7-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2700-6-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB