Overview

overview

10

Static

static

3

8de4b87458...18.exe

windows7-x64

10

8de4b87458...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe

  • Size

    742KB

  • MD5

    8de4b87458eccfaf55b7eadea6d2a2fa

  • SHA1

    7696e37037751dfd097c87ee0085e5de016bf98c

  • SHA256

    d8288616f75a9b09eb77e18244d7ae7ecb3f250ba5d7ccdedaa9689c016fe5ef

  • SHA512

    0ce21b713f9bc40eb4058778c68b9918bbce046093cd9b19575ea5bdb4f6630762d16cd2dcfcc1f289a6378b624f8705dfa24c52f823383da464794d66f3e6b1

  • SSDEEP

    12288:AX378cmb6Xc+9jzpbKsll9THSSCWfsV9aFxYMJ5j3nb+:An7vEKcMnpPpSSCWYstN3K

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    ns7.hadara.ps
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qazxswqazxsw@123

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 9 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 9 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:3044
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:3020
      • C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe"
        2⤵
          PID:2824

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar7881.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        Filesize

        520KB

        MD5

        9c2b62407b2ed9680066a998d6772d18

        SHA1

        e2601164d04673a035241702f2849cf400d16286

        SHA256

        6d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d

        SHA512

        f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1

        Download Submit

      • memory/2104-11-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2104-27-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2104-45-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2416-0-0x0000000074F31000-0x0000000074F32000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2416-1-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2416-2-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2416-38-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2824-16-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2824-18-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2824-14-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2824-12-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2824-29-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2824-26-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2824-28-0x0000000074F30000-0x00000000754DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2824-24-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2824-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2824-22-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/3020-39-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/3020-40-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/3020-43-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/3044-37-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/3044-34-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/3044-35-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download