Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe
-
Size
775KB
-
MD5
5bf3f4153e1c39a2852d96d268f130b6
-
SHA1
16b899e8dca610a1f1abb754ffd95c1f6b7cd4fc
-
SHA256
48084ef013a8f27920d631352f87d1d63a5e63cf2354e4e854b24e220ef3662a
-
SHA512
55e9261cc831dd5bb1620bb31aad178676d624399cfc26d065930aa306267e186c7a2d89a23001192743ba4d020d274f951918d4f4c9f593e2c28108029afa87
-
SSDEEP
24576:wgSzmwm2Oo3KSe2w8Q27H6DJ4owJ8KIe:wgyk2OmKSRw8faDp0DI
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2972-13-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2972-15-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2972-16-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2972-17-0x0000000000ED0000-0x0000000000F46000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2972-17-0x0000000000ED0000-0x0000000000F46000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral1/memory/2972-17-0x0000000000ED0000-0x0000000000F46000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 2336 packages.exe 2972 packages.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1660-3-0x0000000000500000-0x000000000052C000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\packages.exe -boot" packages.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2336 set thread context of 2972 2336 packages.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 2336 packages.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe Token: SeDebugPrivilege 2336 packages.exe Token: SeDebugPrivilege 2972 packages.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1884 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 28 PID 1660 wrote to memory of 1884 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 28 PID 1660 wrote to memory of 1884 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 28 PID 1660 wrote to memory of 1884 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 28 PID 1660 wrote to memory of 2680 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 30 PID 1660 wrote to memory of 2680 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 30 PID 1660 wrote to memory of 2680 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 30 PID 1660 wrote to memory of 2680 1660 5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe 30 PID 1876 wrote to memory of 2336 1876 explorer.exe 32 PID 1876 wrote to memory of 2336 1876 explorer.exe 32 PID 1876 wrote to memory of 2336 1876 explorer.exe 32 PID 1876 wrote to memory of 2336 1876 explorer.exe 32 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35 PID 2336 wrote to memory of 2972 2336 packages.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5bf3f4153e1c39a2852d96d268f130b6_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\packages.exe"2⤵PID:1884
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\packages.exe"2⤵PID:2680
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\packages.exe"C:\Users\Admin\AppData\Local\packages.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\packages.exe"C:\Users\Admin\AppData\Local\packages.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
775KB
MD55bf3f4153e1c39a2852d96d268f130b6
SHA116b899e8dca610a1f1abb754ffd95c1f6b7cd4fc
SHA25648084ef013a8f27920d631352f87d1d63a5e63cf2354e4e854b24e220ef3662a
SHA51255e9261cc831dd5bb1620bb31aad178676d624399cfc26d065930aa306267e186c7a2d89a23001192743ba4d020d274f951918d4f4c9f593e2c28108029afa87