Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
-
Size
780KB
-
MD5
85e41a65ff21c6d4d41df8e23bffa808
-
SHA1
b22a88e0a71d7d6d248f403fb8ba989af1911fa2
-
SHA256
376b073f2248a13be1b834e616d9625cddf689b36258bf42143efded46ea67f6
-
SHA512
95c4b121b8146f7d970c848cc46880295c8b19fb5eb60158439cf52aeac0b9cb744052ffaac8df3d26272093ea2e3e39d357069f7ddb31e514fe25cf322e4652
-
SSDEEP
12288:ICG20qQOGFoJDQ+GqAFuFUld+gpH1OHMhrhBKu3fN:ICuqtioJDQ9qQuGX+gpH1OcBn
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2236-22-0x00000000051D0000-0x0000000005260000-memory.dmp m00nd3v_logger behavioral1/memory/2868-33-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2868-31-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2868-29-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2868-26-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2868-25-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/856-64-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/856-65-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/856-67-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2940-47-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2940-48-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2940-51-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/2940-47-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2940-48-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2940-51-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/856-64-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/856-65-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/856-67-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2236 set thread context of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2868 set thread context of 2940 2868 RegAsm.exe 34 PID 2868 set thread context of 856 2868 RegAsm.exe 37 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 2940 vbc.exe 2940 vbc.exe 2940 vbc.exe 2940 vbc.exe 2940 vbc.exe 2868 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe Token: SeDebugPrivilege 2868 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2868 RegAsm.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1748 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 28 PID 2236 wrote to memory of 1748 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 28 PID 2236 wrote to memory of 1748 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 28 PID 2236 wrote to memory of 1748 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 28 PID 1748 wrote to memory of 3044 1748 csc.exe 30 PID 1748 wrote to memory of 3044 1748 csc.exe 30 PID 1748 wrote to memory of 3044 1748 csc.exe 30 PID 1748 wrote to memory of 3044 1748 csc.exe 30 PID 2236 wrote to memory of 2756 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2756 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2756 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2756 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2756 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2756 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2756 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2868 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 2940 2868 RegAsm.exe 34 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37 PID 2868 wrote to memory of 856 2868 RegAsm.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctk1tpi3\ctk1tpi3.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D20.tmp" "c:\Users\Admin\AppData\Local\Temp\ctk1tpi3\CSC9BDDA4FA227408DB14B4BE8241FE54C.TMP"3⤵PID:3044
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2756
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp59A6.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:856
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD581519f9ae21c1b0e26b9554c0d53a48f
SHA18edf3d3ff0b302835623b39b7e879f0e4edba8dd
SHA2562f2d6cf9d6949e1ed8bde03267e75fe635ea92b2b45cde164c376a35b83493e2
SHA512f3ec4a7f943d0babc60427acafefb4b2f89ca6cbe7dba78c054e817ecdc139ae8009c0426ff3711138f0cb347c98684cb7b5f0d79311cd4cc28fa24fe705598b
-
Filesize
8KB
MD52c53291329d662ce2acaee76e8fedb47
SHA178a40e2b37d2f6e2c0c141b637fce8d18cfc61a7
SHA25665a36e27a3c92119ae49805b7392ae7e7385272c9dbe64e5a1f503e9e50ceabf
SHA512ad40d2437ffa996fff10df50954a41ff562954471b5a51113ec6af9dbf1ad4a3a40b78c5b6b454a28f5c0f180995e9b2039a9c84856a65e4e852e856bcb54a09
-
Filesize
21KB
MD5417310d9aa7bd9f48e169c1cbf89ee1a
SHA1dc0072b6bbfff83ae5c8a26fd80233d3ccdf3b8f
SHA256768bf8827b8c11f48993c0d447f7be00d98c49c0096cd2bcd6ba808df972171a
SHA5120c4fa7e8ee2514401fa01c9f2c1c493b0528758c28f6f59937c8136e418a3ed0aa2c2ae2f451c38d1a98da4efaf00474b8f7422499e9430f8f16f69db7a33074
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD533d3dfd2b08e0128e08740c6aec4db52
SHA108d315d97e1e1a867f5495356b5ccc2f4dfd992c
SHA25698c2100adbdd9bb866c915d2ed244614b888413299e053fc02452922c72ce9bd
SHA5126ea9db43718521b0cac4b49342dbeb3924a061288b915b645c7661482c6eea29a1791074f6cd9cbf06d3089b2f70d5d4b82235e6bf367df4516acdd33425fe7f
-
Filesize
10KB
MD5fde945a51e5fdf1543bea4a9931b85da
SHA167921637ed634306472665592bbbf54a38c75a41
SHA256aa679b2aa59d772a437935e146a2caf13e84a3efbdb7eae4ddfb3403460c6051
SHA51239b307d8737da828765b23eb9066dd81c1767ee64844815a2570bae2065cdb24b90bc644c913810b7746d0f13720013526fe685370b5ff425e8f6c76b3baa785
-
Filesize
312B
MD51b3301b5cd46a0739a4fdeaf7c22595d
SHA1789bfaf2f684f0262f9f27709561bdb0f0165345
SHA256f1477e22c01d44dd66be4e79bf1f33e62e58745a67a8cbb775d98998f7ca0924
SHA512645f0becc9482fa5eb6f8119228b0190151a0f8c7c6486c9f4e0474557c176351ede26f5cb6d62bc415abcb5709730a47ffe43d24f4d7755b93421061d0a5402