Extracted

• • Target

    b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118

  • Size

    817KB

  • MD5

    b7b54500b995dcd5ac2e9f0b5bdd0c23

  • SHA1

    011ad6cf3d6c092d7892c3742647c38e157ab475

  • SHA256

    4272b1d0b38f1c3e9ef6b63582035c96bef09292be1224918cf4ea6cbfda3de8

  • SHA512

    85de68c3ed5e8c7e3ae4a766796296be20bdab153b4c56951af145272ff069264e99c0682042d846fbe10d31989ffcd13997dddada535e02bb66b2350c63f14c

  • SSDEEP

    12288:JgVk00EpT/T65nVv+2K8Ycy2g6ULSo85RAJAN7Ux02/5kyxfi1JULXxnZ/R98KKW:WVdVTw9KaNo84JUAJKXUf/RGKKY0vI

  Score

  10^/10

  hawkeye_rebornm00nd3v_loggeragilenetinfostealerkeyloggerpersistencespywarestealertrojan

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger

  • M00nD3v Logger payload

    Detects M00nD3v Logger payload in memory.

    infostealer

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2