General

  • Target

    bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118

  • Size

    791KB

  • Sample

    240618-m61hkavdqj

  • MD5

    bb9949c1dd3457d699def7fd8ac2eb9a

  • SHA1

    119f207f2c27cc412fb5df582b7f69ea556f518a

  • SHA256

    4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069

  • SHA512

    ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a

  • SSDEEP

    24576:CI9GDt49nG7Z0q3IvjbWA11OMKMenC2Ovc+:CdtCnIq4snrvbeSE

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    CONNECT2018

Targets

    • Target

      bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118

    • Size

      791KB

    • MD5

      bb9949c1dd3457d699def7fd8ac2eb9a

    • SHA1

      119f207f2c27cc412fb5df582b7f69ea556f518a

    • SHA256

      4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069

    • SHA512

      ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a

    • SSDEEP

      24576:CI9GDt49nG7Z0q3IvjbWA11OMKMenC2Ovc+:CdtCnIq4snrvbeSE

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks