Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 08:43
Static task
static1
Behavioral task
behavioral1
Sample
b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe
-
Size
817KB
-
MD5
b7b54500b995dcd5ac2e9f0b5bdd0c23
-
SHA1
011ad6cf3d6c092d7892c3742647c38e157ab475
-
SHA256
4272b1d0b38f1c3e9ef6b63582035c96bef09292be1224918cf4ea6cbfda3de8
-
SHA512
85de68c3ed5e8c7e3ae4a766796296be20bdab153b4c56951af145272ff069264e99c0682042d846fbe10d31989ffcd13997dddada535e02bb66b2350c63f14c
-
SSDEEP
12288:JgVk00EpT/T65nVv+2K8Ycy2g6ULSo85RAJAN7Ux02/5kyxfi1JULXxnZ/R98KKW:WVdVTw9KaNo84JUAJKXUf/RGKKY0vI
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/2964-23-0x0000000000580000-0x0000000000610000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2964-24-0x0000000006F60000-0x0000000006FD6000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2964-24-0x0000000006F60000-0x0000000006FD6000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral2/memory/2964-24-0x0000000006F60000-0x0000000006FD6000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3268 stable.exe 2964 stable.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2220-5-0x0000000007210000-0x0000000007248000-memory.dmp agile_net behavioral2/memory/3268-17-0x0000000005300000-0x0000000005338000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\stable.exe -boot" stable.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 42 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3268 set thread context of 2964 3268 stable.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 3268 stable.exe 3268 stable.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe Token: SeDebugPrivilege 3268 stable.exe Token: SeDebugPrivilege 2964 stable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2788 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 96 PID 2220 wrote to memory of 2788 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 96 PID 2220 wrote to memory of 2788 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 96 PID 2220 wrote to memory of 4220 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 101 PID 2220 wrote to memory of 4220 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 101 PID 2220 wrote to memory of 4220 2220 b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe 101 PID 1692 wrote to memory of 3268 1692 explorer.exe 103 PID 1692 wrote to memory of 3268 1692 explorer.exe 103 PID 1692 wrote to memory of 3268 1692 explorer.exe 103 PID 3268 wrote to memory of 2964 3268 stable.exe 106 PID 3268 wrote to memory of 2964 3268 stable.exe 106 PID 3268 wrote to memory of 2964 3268 stable.exe 106 PID 3268 wrote to memory of 2964 3268 stable.exe 106 PID 3268 wrote to memory of 2964 3268 stable.exe 106 PID 3268 wrote to memory of 2964 3268 stable.exe 106 PID 3268 wrote to memory of 2964 3268 stable.exe 106 PID 3268 wrote to memory of 2964 3268 stable.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b7b54500b995dcd5ac2e9f0b5bdd0c23_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\stable.exe"2⤵PID:2788
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\stable.exe"2⤵PID:4220
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\stable.exe"C:\Users\Admin\AppData\Local\stable.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\stable.exe"C:\Users\Admin\AppData\Local\stable.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
817KB
MD5b7b54500b995dcd5ac2e9f0b5bdd0c23
SHA1011ad6cf3d6c092d7892c3742647c38e157ab475
SHA2564272b1d0b38f1c3e9ef6b63582035c96bef09292be1224918cf4ea6cbfda3de8
SHA51285de68c3ed5e8c7e3ae4a766796296be20bdab153b4c56951af145272ff069264e99c0682042d846fbe10d31989ffcd13997dddada535e02bb66b2350c63f14c