Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
-
Size
780KB
-
MD5
85e41a65ff21c6d4d41df8e23bffa808
-
SHA1
b22a88e0a71d7d6d248f403fb8ba989af1911fa2
-
SHA256
376b073f2248a13be1b834e616d9625cddf689b36258bf42143efded46ea67f6
-
SHA512
95c4b121b8146f7d970c848cc46880295c8b19fb5eb60158439cf52aeac0b9cb744052ffaac8df3d26272093ea2e3e39d357069f7ddb31e514fe25cf322e4652
-
SSDEEP
12288:ICG20qQOGFoJDQ+GqAFuFUld+gpH1OHMhrhBKu3fN:ICuqtioJDQ9qQuGX+gpH1OcBn
Malware Config
Extracted
Protocol: smtp- Host:
mail.porr.com.mk - Port:
587 - Username:
[email protected] - Password:
Sas@@1234
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/4672-23-0x0000000006070000-0x0000000006100000-memory.dmp m00nd3v_logger behavioral2/memory/5636-25-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/5364-44-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5364-45-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5364-46-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1940-34-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1940-36-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1940-32-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1940-42-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/1940-34-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1940-36-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1940-32-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1940-42-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5364-44-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5364-45-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5364-46-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4672 set thread context of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 5636 set thread context of 1940 5636 RegAsm.exe 95 PID 5636 set thread context of 5364 5636 RegAsm.exe 96 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 1940 vbc.exe 5636 RegAsm.exe 5636 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe Token: SeDebugPrivilege 5636 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5636 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4672 wrote to memory of 4732 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 82 PID 4672 wrote to memory of 4732 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 82 PID 4672 wrote to memory of 4732 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 82 PID 4732 wrote to memory of 1136 4732 csc.exe 86 PID 4732 wrote to memory of 1136 4732 csc.exe 86 PID 4732 wrote to memory of 1136 4732 csc.exe 86 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 4672 wrote to memory of 5636 4672 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe 87 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 1940 5636 RegAsm.exe 95 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96 PID 5636 wrote to memory of 5364 5636 RegAsm.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3gkhffxt\3gkhffxt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp" "c:\Users\Admin\AppData\Local\Temp\3gkhffxt\CSCB1C787B2568496D8DD8361BF56E766.TMP"3⤵PID:1136
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6486.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp689E.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:5364
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a9d57ff690ff36f6ac0fb65705fa57d8
SHA18542c5fa7dccda5a0db5e99c1bc5ddd52182f06a
SHA256ed681cef5168289ca3703389f95789841a9dafac90f6fdf0ec2f0b9919acbdec
SHA5125957c4001ad453afa7fd6e76533cdeef932f7725a6ead3250874321f1d41790a9d86efb37e34b95966c2adb391ff0893d6331aed09d857ec5cb914ad6ca616c7
-
Filesize
21KB
MD531f8da682f2514a0b39098d2e67fc4ff
SHA141c948b7f4b7576aad47b8aded970cb66efcea17
SHA256c6a2e5d1d2e8645a1b2bb062eaa31316fadf4eb55e0d40b66ab8b07a468bebca
SHA512dcb0f117a064f2d8298f31aba39bb7723ba6c08d6c205fd0190e5d95d48a570904bfd6fe61fdc0fd79aad5261060edeb853128d78fd38cc52a8a778a5f7b191d
-
Filesize
1KB
MD521afabb9cee71690b95343d4c13c2f50
SHA161df6588304116092f00f898dd44fc5f1aaf9e83
SHA2564e61c9d51c5415af69df84c5ca0ace84667c4305db0d56a532034c66e2f635e6
SHA512209612ae495a962ee999cb5c95938ae357c5c3e67b172e3d50007da7ab44c54441c9288623a261fed31eee1874d7f735039dca26ef74ed887146c283b772cad6
-
Filesize
4KB
MD5a13985d129d8bf808cec12f9fe7b4ed3
SHA13981490aa1ce9401c4470f0277fda627d9236356
SHA256d3a2b4e44262cfbfb97652de5f54b36bfc525396d1d70dea03ab24c902dab8ef
SHA5125c990ca4e978b874e0863ad4bf1ccbe04499960d5c17fb16776297d22db5f168aa3a5a9863ec5a9f8286dda2f9fd96852f2dc2ef029c13ba659e33694c344887
-
Filesize
10KB
MD5fde945a51e5fdf1543bea4a9931b85da
SHA167921637ed634306472665592bbbf54a38c75a41
SHA256aa679b2aa59d772a437935e146a2caf13e84a3efbdb7eae4ddfb3403460c6051
SHA51239b307d8737da828765b23eb9066dd81c1767ee64844815a2570bae2065cdb24b90bc644c913810b7746d0f13720013526fe685370b5ff425e8f6c76b3baa785
-
Filesize
312B
MD583e28f9c1b06083fea57cf6e59d25d29
SHA1010b39f6ed34404db0ef49d49f08c6df34899b49
SHA256ba26c49a550d6e8e144d2dec8cd5d23045e5a01a29043499fa3f48c615d9fd8a
SHA51262bf85e7af079edb626f7939c0fbc562f1b2f9b1de6f603b909af964b4e86b005c2a87455ed56bd21034d96c12054579495fb816aa6cbc2160e585ea9082f189
-
Filesize
1KB
MD5f8de7fc47aa2e8126911b66dc7173efd
SHA1da5fcdc02a72e7a868403ad6ef04bc2fa98d1abe
SHA25677e246bd8983f3548344bf656b39e3026c116dc61bd99d9c0648bfe1994c6131
SHA51254cacc28027318af9e86351220d65788d5e88da4eca2386d8d4ab3ada6e6328b7745d31f5e9bf1fc53c4db03bb474d89d3d6d34d98103aa696c4d8f6182d56a7