Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
-
Size
840KB
-
MD5
8512059f4dbd6dae13068ab29d5624fd
-
SHA1
34b93471fd0337bcb6009f8f6579c632bb108bc5
-
SHA256
8b53a2b8c804e804fa38afd4a125d56531aaef531b3f6ed49dfede9707114212
-
SHA512
e8a31a508fb438d9a780aa4fabdef91351a3d0ec1ef435d1ca28cceda9fca4a2e21fb70d0a025d5fa6d2d003c5f8d11e63d19810aa9f7439be5ab015afd3201e
-
SSDEEP
24576:Wm0FAM1fguBqMpHK+J7FfIcCvuKz+ydlF:e1IepvTIcCvu8B
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/4064-25-0x0000000005BD0000-0x0000000005C60000-memory.dmp m00nd3v_logger behavioral2/memory/3736-27-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/684-48-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/684-46-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/684-45-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3324-37-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3324-36-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3324-34-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3324-43-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/3324-37-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3324-36-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3324-34-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3324-43-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/684-48-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/684-46-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/684-45-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNBzPu.url 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4064 set thread context of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 3736 set thread context of 3324 3736 RegAsm.exe 94 PID 3736 set thread context of 684 3736 RegAsm.exe 95 -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3324 vbc.exe 3736 RegAsm.exe 3736 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe Token: SeDebugPrivilege 3736 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3736 RegAsm.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4064 wrote to memory of 3260 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 81 PID 4064 wrote to memory of 3260 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 81 PID 4064 wrote to memory of 3260 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 81 PID 3260 wrote to memory of 4504 3260 csc.exe 83 PID 3260 wrote to memory of 4504 3260 csc.exe 83 PID 3260 wrote to memory of 4504 3260 csc.exe 83 PID 4064 wrote to memory of 2788 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 84 PID 4064 wrote to memory of 2788 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 84 PID 4064 wrote to memory of 2788 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 84 PID 4064 wrote to memory of 3656 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 85 PID 4064 wrote to memory of 3656 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 85 PID 4064 wrote to memory of 3656 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 85 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 4064 wrote to memory of 3736 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe 86 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 3324 3736 RegAsm.exe 94 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95 PID 3736 wrote to memory of 684 3736 RegAsm.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipcsvncg\ipcsvncg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33A3.tmp" "c:\Users\Admin\AppData\Local\Temp\ipcsvncg\CSC4B0B67CD131D41578D276E628C29B16D.TMP"3⤵PID:4504
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2788
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:3656
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5DA1.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp61B8.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52340a80fb5b6e321e60896b6c8d2d8e7
SHA14ce4ad19f5eda6a0ce3515c3399617b2e14ec591
SHA2567a0adb65281f51fd82ee5a609970c4c118e5465824378c5fed138b30f9387ff3
SHA51283d378295d76932e3a3ede2f88379520585b56a53ff37a4d5a8bfcb1301fe115491c7ee9638094cc812fee9f3a07ae207cad217eb4f4b9c9c05f8e923dbacb6d
-
Filesize
10KB
MD5ac89f3407bfe587e2a2e2663ef61aeae
SHA1fc9b2a1752b92597bd969827a1b9c4fe05b18b9e
SHA256acad1f93841746c6101e63735ce88531a37dfc0c45cc29ec07ea35dcfc3a22a8
SHA512d38339175d3605cf1aa0c1cd47f34ed7bd759bc1ebbd57a137997ec0fe3cd5bb88fd7d842263bed0ec47a881adaf9511af2772adca4e08d8ecf7408160b11813
-
Filesize
27KB
MD558c7ea6702b6d26661390dac3cdb88fc
SHA135112fa8e796138ead5effdbd263523fc910d15c
SHA2565b0c04c928a49d99c16c4e682249d4c1b6f2c77b05740257f41caa3d93b87c84
SHA51248683e7f594b505ce9872cb85a043ec18fe48989b539c9578c62b59630e4b6e4576612b6c221862ef0a145a1ede78f605aa4334f6eb1761ac9f8340e7126af41
-
Filesize
4KB
MD5788d7419b32411807cc6753cbbccecbe
SHA1761b99a1e5bc168f525181d78cff3f6ed82daa14
SHA25676150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b
SHA5123003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4
-
Filesize
1KB
MD53a923da0caed7b909981dd2cf5a0975b
SHA1c4e4e4bc417ca7a19a44acd4ebac48bccf0d5e7b
SHA2564e74377735ba8e980630eb979b6f18459e2b568b5c1fe65f5345e869d6c8af2b
SHA512070abfb6a450afdfcd8916098c5a47ba87c59d8b739c71e9baa5add5b2a9eef31b415c4ec12bd0f021d030dfaaf8cc37c266ca19ec8aa7c03d4e3d17ddd9a300
-
Filesize
15KB
MD51e5b368788cb07f893eb1cc66b63523c
SHA10a755a99d1fcc5a1edf9987886d24b22ed874258
SHA256527242363fd157202abe19490f40c98ad3429c9839057f7dd3ce6bd7e92a6040
SHA51220088339279c6260463ff8e7a7457ef25ef99e2314b1711942f46cc8626b7d2a23de3b21d9f827f2d826cdc4bd10a50634e6fa37f19798b53d9c915d3f1f7597
-
Filesize
312B
MD583d9d692639e98923edf68ed720c4644
SHA1e378e4a6b6c1b2afef3a49b33a618ca9ea7eaaa9
SHA25647e21a86b9994025e068bf3ab60b986177ee788de2cc35d5ac39ead9469e8745
SHA5121d762dfbf01dca0204d3da8b5c700651c9d7a02c7056f13b22246238bf14308b308e9c733c47cee104e7f1f877b6e38a0ea90f6f3425a0903086fc2538b2a888