Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 08:26
General
-
Target
40d8409d81ecf1e7bef4b135a8eec054_JaffaCakes118.exe
-
Size
739KB
-
MD5
40d8409d81ecf1e7bef4b135a8eec054
-
SHA1
aceda599cc1666d7ad67ad4404275b59e1f49cda
-
SHA256
8250c4cba2061a09f1b67ef42738e80e488f1fd44dea12b35071c15acdee4f04
-
SHA512
bd48ceaf3c72836e93622afee9b73529475f7d7605187d727c279644dc7a3bb79922df5ecf8422df8ce2392bb3b3f26cd38d8c01a9622a4c9800a3ad13f36fd0
-
SSDEEP
12288:/6SJGKFYrwBD79S5RQGPDYTnnWe7hPtOiOGb5:/6SPXhIHQGPD+nnp7hVOijF
Malware Config
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
[email protected] - Password:
internationallove147
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
Detect ZGRat V1 1 IoCs
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
M00nD3v Logger payload 1 IoCs
Detects M00nD3v Logger payload in memory.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
-
Nirsoft 7 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\40d8409d81ecf1e7bef4b135a8eec054_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40d8409d81ecf1e7bef4b135a8eec054_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\40d8409d81ecf1e7bef4b135a8eec054_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\start.exe"2⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\start.exe"2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\start.exe"C:\Users\Admin\AppData\Local\start.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\start.exe"C:\Users\Admin\AppData\Local\start.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp37A5.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3BAD.tmp"4⤵
- Accesses Microsoft Outlook accounts
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5f8bcaf312de8591707436c1dcebba8e4
SHA1a1269828e5f644601622f4a7a611aec8f2eda0b2
SHA256f0f5a90777c70cdceea22bd66b33c1703a318acc45cb012d0b01585a1ac12b29
SHA5123a714f5950584abbc94a27bbd4623bfc5acb1135c8c9fca4d74e70c8481b71ace7dbc1dfbf101dd07c76a050acfb4852f31dd57fc7ae196382336c5edc9e6413
-
Filesize
4KB
MD5135c60fadfa99b241d9109417db8b53c
SHA1b73785818a32e8d84bb55c02ccdc3d546a615526
SHA25601fc52f877352f6252d3d9351993fc35d7b6b0051ac6d3146184e12f9bc6e704
SHA51276812b91e51f1a206e3829b44cf13ee4cc4e5e90d88c0b0b3755b1e092eee26e6a4b18ef038a311a9443dab138761ff45fdd18145931207764c2355047611f51
-
Filesize
739KB
MD540d8409d81ecf1e7bef4b135a8eec054
SHA1aceda599cc1666d7ad67ad4404275b59e1f49cda
SHA2568250c4cba2061a09f1b67ef42738e80e488f1fd44dea12b35071c15acdee4f04
SHA512bd48ceaf3c72836e93622afee9b73529475f7d7605187d727c279644dc7a3bb79922df5ecf8422df8ce2392bb3b3f26cd38d8c01a9622a4c9800a3ad13f36fd0
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
160KB
-
Filesize
1.2MB
-
Filesize
776KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
576KB
-
Filesize
40KB