Analysis
-
max time kernel
137s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 00:40
Static task
static1
Behavioral task
behavioral1
Sample
524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe
-
Size
893KB
-
MD5
524a72efefa15f50c538d5a32a9b30a7
-
SHA1
af91692774e410e963556541d42d7d1c5adf906d
-
SHA256
d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c
-
SHA512
aa60c3315888907687447567a6e891af4fa9887b80b000daedb0a06459ce357e033da915ab53f7e98f62091c1a688b04b636bde380dad7ed9085f48182bab970
-
SSDEEP
12288:OAgiqlYVU3/GkcX5wz4s4aHu0mXrPNg0sGV2hfVk0Q3U3:Or/CQO0grxsGEITK
Malware Config
Extracted
hawkeye_reborn
10.1.2.0
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
whyworry1090#
75e42b2e-0632-4d4a-9bad-323b26b60235
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:whyworry1090# _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:75e42b2e-0632-4d4a-9bad-323b26b60235 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/1828-8-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5780 set thread context of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2552 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 1828 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 1828 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe Token: SeDebugPrivilege 1828 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1828 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5780 wrote to memory of 2552 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 86 PID 5780 wrote to memory of 2552 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 86 PID 5780 wrote to memory of 2552 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 86 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 PID 5780 wrote to memory of 1828 5780 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5780 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LFXPstSsyuYsXg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BDE.tmp"2⤵
- Creates scheduled task(s)
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\524a72efefa15f50c538d5a32a9b30a7_JaffaCakes118.exe.log
Filesize496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
1KB
MD5d6de980d3e81a14c31bb0f4037204b9a
SHA119a76df89e3437d7d0ab975bddaf73f4edd31a0d
SHA2563661976ddbc71067b63bac7275547c2c6f2a458b8e5c51dbbd4ba6d944c01e40
SHA512320db2148c27abb671fb7af951dabf680bb8ce350f62b434d52c87cfc787525d3dfb4bc98cb06f388509c458198d0c70106e8561717bf8c9b6e2b54401094a4c