Analysis
-
max time kernel
134s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 14:25
Static task
static1
Behavioral task
behavioral1
Sample
6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe
-
Size
950KB
-
MD5
6b3c742e228a064940d52592717aebc1
-
SHA1
1a2345fa154fbf19ae904e0b8975718395269ef4
-
SHA256
1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2
-
SHA512
f9c98aac9e39800d4549d02893c0a7bb1c5ec3401135510a394433b6a86b6c0d108e96ef5f90467de7fd3535e20070cd02847fb614fe8d4fbffcafbe81605859
-
SSDEEP
24576:HiwvvbVMYcbbU5I6jABiRDK90Ss+wxjKi6p2egE:HlvX2MjAERG90SqbvX
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
!2VfMCUhkGSDv
5d7b1eb2-7d5b-4e7f-a61d-d1c3611476d0
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:!2VfMCUhkGSDv _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:5d7b1eb2-7d5b-4e7f-a61d-d1c3611476d0 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/2568-10-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4088-28-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4088-30-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4088-31-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4088-34-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/5040-17-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/5040-19-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/5040-20-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/5040-26-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/5040-17-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5040-19-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5040-20-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5040-26-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4088-28-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4088-30-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4088-31-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4088-34-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 60 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2736 set thread context of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2568 set thread context of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 set thread context of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 5040 vbc.exe 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2736 wrote to memory of 1364 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 98 PID 2736 wrote to memory of 1364 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 98 PID 2736 wrote to memory of 1364 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 98 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2736 wrote to memory of 2568 2736 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 100 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 5040 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 102 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103 PID 2568 wrote to memory of 4088 2568 6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\btZrhY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1836.tmp"2⤵
- Creates scheduled task(s)
PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp466B.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:4088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6b3c742e228a064940d52592717aebc1_JaffaCakes118.exe.log
Filesize500B
MD5f3bfbe5958adfc86cc0ea0a8317ea113
SHA13bf76848af2edafcacee5f9fb6a06b35a6724015
SHA256598715cafd950c881e4fe318430b5830e95781f2093baa22f124cfad03320874
SHA512873fb9861d615ec3298ccba8231ea3f2a22f2050fe68fea1a6948987942c04f6b40f0b92d5e59f6971cdb429b67877ac2e3cfc953949a0140e03c6cdb8a1139d
-
Filesize
1KB
MD565db31b9b00bec4652e8f497bc21ebff
SHA14a0bd7e467a470972c69364d2f1803e43da9ab58
SHA2561faca2ff298e41460e02df7071c85f82dc428591a80aa85d02c4c69fef8d663d
SHA5123a543e249d3461e30e2407a855c605e4f781d919cececc05235ffdc2f44f7d8b7a06d452f916df2ed2eba42e695d76edb7e48cca220aee03976ff42dcfab83e4
-
Filesize
4KB
MD5365f45018b7bcc98591979d6c4b23752
SHA1073aff125450845105f5daa7d0e7cc24ee8bbca5
SHA25627be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e
SHA5124bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703