General

  • Target

    5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118

  • Size

    775KB

  • Sample

    240519-24lc7agb7w

  • MD5

    5bf3f4153e1c39a2852d96d268f130b6

  • SHA1

    16b899e8dca610a1f1abb754ffd95c1f6b7cd4fc

  • SHA256

    48084ef013a8f27920d631352f87d1d63a5e63cf2354e4e854b24e220ef3662a

  • SHA512

    55e9261cc831dd5bb1620bb31aad178676d624399cfc26d065930aa306267e186c7a2d89a23001192743ba4d020d274f951918d4f4c9f593e2c28108029afa87

  • SSDEEP

    24576:wgSzmwm2Oo3KSe2w8Q27H6DJ4owJ8KIe:wgyk2OmKSRw8faDp0DI

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Targets

    • Target

      5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118

    • Size

      775KB

    • MD5

      5bf3f4153e1c39a2852d96d268f130b6

    • SHA1

      16b899e8dca610a1f1abb754ffd95c1f6b7cd4fc

    • SHA256

      48084ef013a8f27920d631352f87d1d63a5e63cf2354e4e854b24e220ef3662a

    • SHA512

      55e9261cc831dd5bb1620bb31aad178676d624399cfc26d065930aa306267e186c7a2d89a23001192743ba4d020d274f951918d4f4c9f593e2c28108029afa87

    • SSDEEP

      24576:wgSzmwm2Oo3KSe2w8Q27H6DJ4owJ8KIe:wgyk2OmKSRw8faDp0DI

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks