Overview

overview

10

Static

static

3

3d539afa84...18.exe

windows7-x64

10

3d539afa84...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    3d539afa84c194e6ee2743e9a1d3d63b

  • SHA1

    f34fce9ffd3fbcc0301750f57829f44648d462b7

  • SHA256

    df44027aba6ccfa93994b556ec0ad139e0ed41f36510fdea9c17e378f48da80f

  • SHA512

    b506340f78580708b1afed9ecc24ea228044b1e3d23d9f09fb3944ec24d99d7d630e4ab62a265fac1d4b95aaf0064d0e1087a972ce9bffda7b4f31617cdc773b

  • SSDEEP

    24576:xs2iC2EShf8IZkfFnnq8G1JyqTBa1Wp8JcQmao54XBddNl7kQD2arhnch6taluTC:5zm8IiZqbA/1Wv8XBV+HluTI5L

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Drops startup file 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 15 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im
      2⤵
      • Kills process with taskkill
      PID:2508
    • C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im
      2⤵
      • Kills process with taskkill
      PID:2628
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im
      2⤵
      • Kills process with taskkill
      PID:2396
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1428
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im
      2⤵
      • Kills process with taskkill
      PID:1372
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im
      2⤵
      • Kills process with taskkill
      PID:984
    • C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2700
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:2264
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:2160
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 36
            4⤵
            • Program crash
            PID:1484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2160-17-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2264-13-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2264-16-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2264-14-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2460-1-0x0000000074AA0000-0x000000007504B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2460-2-0x0000000074AA0000-0x000000007504B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2460-0-0x0000000074AA1000-0x0000000074AA2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2460-9-0x0000000074AA0000-0x000000007504B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2528-5-0x0000000074AA0000-0x000000007504B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2528-10-0x0000000074AA0000-0x000000007504B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2700-8-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2700-7-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2700-6-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download