Overview

overview

10

Static

static

3

8de4b87458...18.exe

windows7-x64

10

8de4b87458...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe

  • Size

    742KB

  • MD5

    8de4b87458eccfaf55b7eadea6d2a2fa

  • SHA1

    7696e37037751dfd097c87ee0085e5de016bf98c

  • SHA256

    d8288616f75a9b09eb77e18244d7ae7ecb3f250ba5d7ccdedaa9689c016fe5ef

  • SHA512

    0ce21b713f9bc40eb4058778c68b9918bbce046093cd9b19575ea5bdb4f6630762d16cd2dcfcc1f289a6378b624f8705dfa24c52f823383da464794d66f3e6b1

  • SSDEEP

    12288:AX378cmb6Xc+9jzpbKsll9THSSCWfsV9aFxYMJ5j3nb+:An7vEKcMnpPpSSCWYstN3K

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    ns7.hadara.ps
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qazxswqazxsw@123

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:3660
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2412
    • C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe"
      2⤵
        PID:432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8de4b87458eccfaf55b7eadea6d2a2fa_JaffaCakes118.exe.log
      Filesize

      774B

      MD5

      049b2c7e274ebb68f3ada1961c982a22

      SHA1

      796b9f03c8cd94617ea26aaf861af9fb2a5731db

      SHA256

      5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

      SHA512

      fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      3KB

      MD5

      f94dc819ca773f1e3cb27abbc9e7fa27

      SHA1

      9a7700efadc5ea09ab288544ef1e3cd876255086

      SHA256

      a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

      SHA512

      72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      520KB

      MD5

      9c2b62407b2ed9680066a998d6772d18

      SHA1

      e2601164d04673a035241702f2849cf400d16286

      SHA256

      6d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d

      SHA512

      f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1

      Download Submit

    • memory/432-25-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/432-17-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download

    • memory/432-21-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/432-22-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2412-46-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2412-39-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2412-38-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3660-30-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3660-34-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3660-33-0x0000000000420000-0x00000000004E9000-memory.dmp

      Filesize

      804KB

      Download

    • memory/3660-32-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/4592-37-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4592-0-0x0000000075392000-0x0000000075393000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4592-2-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4592-1-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5072-20-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5072-24-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5072-19-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5072-18-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5072-47-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5072-48-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5072-49-0x0000000075390000-0x0000000075941000-memory.dmp

      Filesize

      5.7MB

      Download