Extracted

• • Target

    6220dbc17e6c4579e23a93c103344d04_JaffaCakes118

  • Size

    1.0MB

  • MD5

    6220dbc17e6c4579e23a93c103344d04

  • SHA1

    78e9640d470745acfb2648d56e35febc30f6e684

  • SHA256

    154c3a1d1e1a4213c0dbd5d4d21f983219626f5ed2eb824f3670394e6555c162

  • SHA512

    5c4fd1ea005b890debb0d5635073a45a5ec2a640a133b53b1dac8c554765b3f96c69fbbae619a6e8c12ee46079895e42b4bf79ec8c4b0f09ee12d377441bc583

  • SSDEEP

    12288:0P+xop6MOkLy2L+J1cvFoTlGlWVp7dBhR82vkLnfOOim:jopEkO2m6vFoTEUi2vk1i

  Score

  10^/10

  hawkeyeagilenetcollectionkeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2