Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe
-
Size
900KB
-
MD5
6dff832f07ea61ef0fa90d148cf09509
-
SHA1
6831f7896e97c992593474731cbfa6fb1a45e698
-
SHA256
314aec84e8bc95e59b62e69580e6f0525a53e0914c50c89da8f81cc84f93cf42
-
SHA512
7cf036e2238e280da5f2b2d3134f80ddd10cc90fdbba7115bed4dcd038cf61026db81757c3ba968cec0378334cada10ea7ae673be6d9bbb875c78798f6ed9047
-
SSDEEP
24576:KKOQZ1K7cdUIV4+M3EaRfUP6KbHkLYzCcpYsK5LExBMS:KKOQG7cVM3r1iHFzCMYskIw
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/3704-22-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3704-25-0x0000000005130000-0x00000000051A6000-memory.dmp MailPassView behavioral2/memory/3228-37-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3228-38-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3228-39-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3704-25-0x0000000005130000-0x00000000051A6000-memory.dmp WebBrowserPassView behavioral2/memory/2332-28-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2332-29-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2332-35-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/3704-25-0x0000000005130000-0x00000000051A6000-memory.dmp Nirsoft behavioral2/memory/2332-28-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2332-29-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2332-35-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3228-37-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3228-38-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3228-39-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3112 app.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\app.exe -boot" app.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3112 set thread context of 3704 3112 app.exe 105 PID 3704 set thread context of 2332 3704 RegAsm.exe 114 PID 3704 set thread context of 3228 3704 RegAsm.exe 115 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe 2332 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe Token: SeDebugPrivilege 3112 app.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4508 wrote to memory of 3776 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe 96 PID 4508 wrote to memory of 3776 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe 96 PID 4508 wrote to memory of 3776 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe 96 PID 4508 wrote to memory of 1508 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe 101 PID 4508 wrote to memory of 1508 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe 101 PID 4508 wrote to memory of 1508 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe 101 PID 1508 wrote to memory of 3112 1508 cmd.exe 103 PID 1508 wrote to memory of 3112 1508 cmd.exe 103 PID 1508 wrote to memory of 3112 1508 cmd.exe 103 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3112 wrote to memory of 3704 3112 app.exe 105 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 2332 3704 RegAsm.exe 114 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115 PID 3704 wrote to memory of 3228 3704 RegAsm.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\app.exe"2⤵PID:3776
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\app.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\app.exe"C:\Users\Admin\AppData\Local\app.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF7C9.tmp"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFBE0.tmp"5⤵
- Accesses Microsoft Outlook accounts
PID:3228
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD518b6368b183e546a35847ae24b4b2913
SHA1040545f7ac2c987d2a79b5e7f1cf9ab83bd25923
SHA25654c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af
SHA51268ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698
-
Filesize
900KB
MD56dff832f07ea61ef0fa90d148cf09509
SHA16831f7896e97c992593474731cbfa6fb1a45e698
SHA256314aec84e8bc95e59b62e69580e6f0525a53e0914c50c89da8f81cc84f93cf42
SHA5127cf036e2238e280da5f2b2d3134f80ddd10cc90fdbba7115bed4dcd038cf61026db81757c3ba968cec0378334cada10ea7ae673be6d9bbb875c78798f6ed9047