Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
-
Size
804KB
-
MD5
794572b7847795cca2d50681b80552a2
-
SHA1
98efe39680402d00bdf35f0e5d8e0a2aee89a940
-
SHA256
8f9d2e33c94bbc8fe8b0fcab9053188b913b2c933aa705da4cc531c849413b4b
-
SHA512
7282f2f91a4ea85efc52e57716de52c5c1891cbd2fe17ede01f3d38105947a642130fe2b8dc675b36850e632535c3ea923bc17925faba7a4ce37908fafed603d
-
SSDEEP
12288:mV0sGl6QsJCP6RaO+Y0/fRXJScFzg2hOkKIgQjXJjlP:maPoQI+6RaOsDrFg24ydZRP
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral1/memory/1148-23-0x0000000004600000-0x0000000004690000-memory.dmp m00nd3v_logger behavioral1/memory/2724-27-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2724-26-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2724-34-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2724-32-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2724-30-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2416-65-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/2416-64-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/2416-67-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2920-48-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2920-49-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2920-51-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2920-48-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2920-49-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2920-51-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2416-65-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/2416-64-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/2416-67-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
Processes:
794572b7847795cca2d50681b80552a2_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rydjydtku.url 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
794572b7847795cca2d50681b80552a2_JaffaCakes118.exeRegAsm.exedescription pid process target process PID 1148 set thread context of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 2724 set thread context of 2920 2724 RegAsm.exe vbc.exe PID 2724 set thread context of 2416 2724 RegAsm.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
794572b7847795cca2d50681b80552a2_JaffaCakes118.exevbc.exeRegAsm.exepid process 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe 2920 vbc.exe 2920 vbc.exe 2920 vbc.exe 2920 vbc.exe 2920 vbc.exe 2724 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
794572b7847795cca2d50681b80552a2_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe Token: SeDebugPrivilege 2724 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 2724 RegAsm.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
794572b7847795cca2d50681b80552a2_JaffaCakes118.execsc.exeRegAsm.exedescription pid process target process PID 1148 wrote to memory of 1324 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe csc.exe PID 1148 wrote to memory of 1324 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe csc.exe PID 1148 wrote to memory of 1324 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe csc.exe PID 1148 wrote to memory of 1324 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe csc.exe PID 1324 wrote to memory of 2548 1324 csc.exe cvtres.exe PID 1324 wrote to memory of 2548 1324 csc.exe cvtres.exe PID 1324 wrote to memory of 2548 1324 csc.exe cvtres.exe PID 1324 wrote to memory of 2548 1324 csc.exe cvtres.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 1148 wrote to memory of 2724 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe RegAsm.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2920 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe PID 2724 wrote to memory of 2416 2724 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\794572b7847795cca2d50681b80552a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\794572b7847795cca2d50681b80552a2_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqoikkp5\dqoikkp5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10F2.tmp" "c:\Users\Admin\AppData\Local\Temp\dqoikkp5\CSCDF23BECC227A461DB8EC8F66A98396D.TMP"3⤵PID:2548
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3B4C.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2CEB.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538adbf16ef066a4803d80f90e94dd698
SHA12974cf44cd5dda60946a9c75fd492d5a92a91b15
SHA256087dafee329c8686d9d8fdb521ca06f011a3eee3cc74b953338a934952c28e4e
SHA512ea58c6f8b19f7fea08d690293a7b5accf23b1537a72a84f3cfc62b5a48dc53fbf4f60b3d8ec398bfb948aec29008ce064ea927850f5d7963afb79c7a8d8e66f8
-
Filesize
6KB
MD53c95e528d3cc1b39b392fc18f0ee54b6
SHA1a9e49c83276a8299a52621fe04ed5bf6fd8c635e
SHA2565ec4ca4e51e460ba8dc865bac4f252e39fca839fd0fe329087d7ab63ac158251
SHA5127e7705a516fb16fabb079822b04709093774fa0b6b6011da4d51b07bb7a033705e24fc8f59d73403bd5958831368d180d9f796553910bb305d055434be5b78ee
-
Filesize
15KB
MD56ba8887149ebf307730cd783e5287736
SHA1e02d5a81e15cb1196fe8d1719028e07763e1317a
SHA25600948dc1467fd6bcab2b7b37f4107bc747b120f33ec0686d64446c0c0faafd98
SHA51219c64e9ef3fa54c85c3313e4b8334eaf61cc2869e28328d15748267670e312c3d0924b03fe59282c73bbbc81a956e4ad29cea592b17426e7f2e2509ae51ffe86
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD55d5aac222cc26d7195a47bbecef068eb
SHA1ac3289e782b32db3d12dae69349283198789d01a
SHA256c2f334d40b5be3a2e3f87632fd928bf610c12af77399dc33c655b921886d8d68
SHA51248b719d988160bd23109a5d153bd973b78210ab2942a6e42149d848218ab24ea0c3ade102615426df8669c53f00b8dd9cb24c7451691630ea82fea9a0e7481a9
-
Filesize
2KB
MD54d9fe73afe0fa2bcb6c17e81676ab87e
SHA1098cb8aaef8c6fe2ca91e697dd510dc7af73f13a
SHA2565a6e61d92bbc56a411666a1bfd88bfa18718f57f1c46034b73d47c68b8bbe0c7
SHA51268113fb819029c47aba607782ab87c413ea109c25d9009c665f069ad3826c6f014f0ec58a10f5de57a9ac129be03402ea932ddb28e0d52589112d666e52fa93b
-
Filesize
312B
MD58b19409cbd49d2526013510973786ff4
SHA1458e33998d2cdd91bfd579468b9b49ff28dcef3b
SHA25681602c98184d6326005152a438f61771023cc71865ac1d44c529d7dcc50b12fa
SHA5127ff06d692ba278074689c3fef46116d436402be56f60890f1ffbe3dcd558409af619b584a00c64c8d34ac27cc5fa8e3f73e1527047871033d52b7b463445d20d