Overview

overview

10

Static

static

3

5327761769...18.exe

windows7-x64

10

5327761769...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    53277617691e152fa4c3c4d8e829cb98

  • SHA1

    27ea079be2661093bb51dc3f8bb446ce23442805

  • SHA256

    4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5

  • SHA512

    ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d

  • SSDEEP

    24576:nUMXIaug4/aJTMxiveFrZTssjbSEmsY6hnZggGEzHSz:U8/MaJoo2FrZIsjbS76hSlEzSz

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    moneyY23@@YYCK

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\Desktop\filename.exe
      "C:\Users\Admin\Desktop\filename.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\Desktop\filename.exe
        "C:\Users\Admin\Desktop\filename.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1536
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
            PID:2500
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 1084
            4⤵
            • Loads dropped DLL
            PID:1868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
      Filesize

      5B

      MD5

      5bfa51f3a417b98e7443eca90fc94703

      SHA1

      8c015d80b8a23f780bdd215dc842b0f5551f63bd

      SHA256

      bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

      SHA512

      4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
      Filesize

      834B

      MD5

      cbed24fd2b55aea95367efca5ee889de

      SHA1

      946f48b5c344fd57113845cd483fed5fb9fa3e54

      SHA256

      1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

      SHA512

      c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6
      Filesize

      1KB

      MD5

      13affd7ca33dffe5e0c718ae0c8b77b0

      SHA1

      b4d5ba26fb29de5423119b234347fc0e3261bb3f

      SHA256

      7ca93293e1b412edaf65243efdb05653b67f2fe0c9e863472ae5688660650f91

      SHA512

      6d77b1b93b4fc166f1cb27e57f302f8781355eb2ae4e27a8a8bbc16ff2af84a26cdfc8a12d152e0e2838abde4a50911ebbbf11332d8b9b567854619aa3b195d0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
      Filesize

      404B

      MD5

      65ef063c06b6880e4b881819d4ed9294

      SHA1

      abb3dd2af0054a4e0e4c37632740e0adef5a1f68

      SHA256

      960c0f346188e61af576c68483754c13e426d921ad148c04df5b07607812c801

      SHA512

      c03716c3eb1caef647a41c8f77cb48ad06d2296ea2dc670683c891caf48e1cb20f385188235cff76c850f41bbcb505e35ee89e766d1921668c5896bfac991545

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
      Filesize

      188B

      MD5

      040075ff61593971de7e2377976c38c9

      SHA1

      9439066d6a24a56ce024f1dde145c7735574cdbe

      SHA256

      6a3feef5cd5e7ab75b2639c517ffa30b6b54926efd5f2765d74c3a56ea01989d

      SHA512

      42fc578f80c4597540d5deb9deecf97dbb59df46c0862dc7f0647d185b09ffa663144bb8b7a29fd183ad749f0334a5046978e9180449559039670fa6f1607165

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      07b7ca8afc90a8de4e0fa958f74ba8d8

      SHA1

      4700d5eb4a82b85fdc32d260ebc9dd8a93024fe3

      SHA256

      0591f07c198a4c8a9432458e9099f17d5ae29d06efe8d54a148fb833818a4a35

      SHA512

      a335bc86e69d4abc3063bf839df4bc790063c3a06e9875c98b6c444ae6f49245c6d1a4ad858b42ed5b60424af04c6c8bd0d3ea99d2a187603af39b0f1c355a57

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6
      Filesize

      398B

      MD5

      cd8a0342f0d493dd3dcbdbaa82eb9cb0

      SHA1

      f198b9bdeee94eb87b68397df68ec419ae0eb047

      SHA256

      09bbf59e8d6ec3cfbb301474c8e19d4d92dcf5e101f9353984c62b0338576f50

      SHA512

      f5239fb6931be0e5439db76afba11923ea167ab482ad18769f514d3df0ab900b7d78f18acfe3721de6eb9db4d9ff054abc78db2ed992bc1b617964c905d1d2c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab1B00.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • \Users\Admin\Desktop\filename.exe
      Filesize

      1.1MB

      MD5

      53277617691e152fa4c3c4d8e829cb98

      SHA1

      27ea079be2661093bb51dc3f8bb446ce23442805

      SHA256

      4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5

      SHA512

      ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d

      Download Submit

    • memory/1536-59-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1536-61-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1536-58-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2496-69-0x0000000074C40000-0x00000000751EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2496-54-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2496-52-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2496-49-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2496-55-0x0000000074C40000-0x00000000751EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2500-62-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2500-67-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2500-63-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2668-68-0x0000000074C40000-0x00000000751EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2668-32-0x0000000074C40000-0x00000000751EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2740-0-0x0000000074C41000-0x0000000074C42000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2740-33-0x0000000074C40000-0x00000000751EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2740-1-0x0000000074C40000-0x00000000751EB000-memory.dmp

      Filesize

      5.7MB

      Download