Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 08:43
Static task
static1
Behavioral task
behavioral1
Sample
b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe
-
Size
817KB
-
MD5
b7b54500b995dcd5ac2e9f0b5bdd0c23
-
SHA1
011ad6cf3d6c092d7892c3742647c38e157ab475
-
SHA256
4272b1d0b38f1c3e9ef6b63582035c96bef09292be1224918cf4ea6cbfda3de8
-
SHA512
85de68c3ed5e8c7e3ae4a766796296be20bdab153b4c56951af145272ff069264e99c0682042d846fbe10d31989ffcd13997dddada535e02bb66b2350c63f14c
-
SSDEEP
12288:JgVk00EpT/T65nVv+2K8Ycy2g6ULSo85RAJAN7Ux02/5kyxfi1JULXxnZ/R98KKW:WVdVTw9KaNo84JUAJKXUf/RGKKY0vI
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2940-14-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2940-17-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2940-16-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2940-18-0x0000000000650000-0x00000000006C6000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2940-18-0x0000000000650000-0x00000000006C6000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral1/memory/2940-18-0x0000000000650000-0x00000000006C6000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 2492 stable.exe 2940 stable.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2552-3-0x0000000000460000-0x0000000000498000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\stable.exe -boot" stable.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2492 set thread context of 2940 2492 stable.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 2492 stable.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe Token: SeDebugPrivilege 2492 stable.exe Token: SeDebugPrivilege 2940 stable.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2316 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 28 PID 2552 wrote to memory of 2316 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 28 PID 2552 wrote to memory of 2316 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 28 PID 2552 wrote to memory of 2316 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 28 PID 2552 wrote to memory of 2472 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 30 PID 2552 wrote to memory of 2472 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 30 PID 2552 wrote to memory of 2472 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 30 PID 2552 wrote to memory of 2472 2552 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 30 PID 2500 wrote to memory of 2492 2500 explorer.exe 32 PID 2500 wrote to memory of 2492 2500 explorer.exe 32 PID 2500 wrote to memory of 2492 2500 explorer.exe 32 PID 2500 wrote to memory of 2492 2500 explorer.exe 32 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35 PID 2492 wrote to memory of 2940 2492 stable.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\stable.exe"2⤵PID:2316
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\stable.exe"2⤵PID:2472
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\stable.exe"C:\Users\Admin\AppData\Local\stable.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\stable.exe"C:\Users\Admin\AppData\Local\stable.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
817KB
MD5b7b54500b995dcd5ac2e9f0b5bdd0c23
SHA1011ad6cf3d6c092d7892c3742647c38e157ab475
SHA2564272b1d0b38f1c3e9ef6b63582035c96bef09292be1224918cf4ea6cbfda3de8
SHA51285de68c3ed5e8c7e3ae4a766796296be20bdab153b4c56951af145272ff069264e99c0682042d846fbe10d31989ffcd13997dddada535e02bb66b2350c63f14c