Overview

overview

10

Static

static

3

bb9949c1dd...18.exe

windows7-x64

10

bb9949c1dd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe

  • Size

    791KB

  • MD5

    bb9949c1dd3457d699def7fd8ac2eb9a

  • SHA1

    119f207f2c27cc412fb5df582b7f69ea556f518a

  • SHA256

    4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069

  • SHA512

    ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a

  • SSDEEP

    24576:CI9GDt49nG7Z0q3IvjbWA11OMKMenC2Ovc+:CdtCnIq4snrvbeSE

Score
10/10
hawkeye_rebornm00nd3v_loggercollectioninfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    CONNECT2018

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\start.exe"
      2⤵
        PID:4144
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\start.exe"
        2⤵
          PID:1248
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Users\Admin\AppData\Local\start.exe
          "C:\Users\Admin\AppData\Local\start.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Users\Admin\AppData\Local\start.exe
            "C:\Users\Admin\AppData\Local\start.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2324
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp263C.tmp"
              4⤵
              • Accesses Microsoft Outlook accounts
              PID:5016
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4976

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Scripting

        1
        T1064

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Scripting

        1
        T1064

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\start.exe.log
          Filesize

          706B

          MD5

          2ef5ef69dadb8865b3d5b58c956077b8

          SHA1

          af2d869bac00685c745652bbd8b3fe82829a8998

          SHA256

          363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

          SHA512

          66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp
          Filesize

          4KB

          MD5

          10fa8ec140c204486092fb161e567ec7

          SHA1

          4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473

          SHA256

          7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04

          SHA512

          9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

          Download Submit
        • C:\Users\Admin\AppData\Local\start.exe
          Filesize

          791KB

          MD5

          bb9949c1dd3457d699def7fd8ac2eb9a

          SHA1

          119f207f2c27cc412fb5df582b7f69ea556f518a

          SHA256

          4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069

          SHA512

          ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a

          Download Submit
        • memory/372-6-0x0000000007D40000-0x0000000007D76000-memory.dmp
          Filesize

          216KB

          Download
        • memory/372-1-0x0000000000CF0000-0x0000000000DBE000-memory.dmp
          Filesize

          824KB

          Download
        • memory/372-5-0x0000000074DD0000-0x0000000075580000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/372-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/372-7-0x0000000007D70000-0x0000000007D76000-memory.dmp
          Filesize

          24KB

          Download
        • memory/372-11-0x0000000074DD0000-0x0000000075580000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/372-3-0x00000000082F0000-0x0000000008894000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/372-4-0x0000000007DE0000-0x0000000007E72000-memory.dmp
          Filesize

          584KB

          Download
        • memory/372-2-0x0000000007C40000-0x0000000007D36000-memory.dmp
          Filesize

          984KB

          Download
        • memory/1940-14-0x00000000052A0000-0x000000000533C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/2324-22-0x0000000000400000-0x000000000045B000-memory.dmp
          Filesize

          364KB

          Download
        • memory/2324-23-0x0000000000400000-0x000000000045B000-memory.dmp
          Filesize

          364KB

          Download
        • memory/2324-28-0x0000000000460000-0x0000000000529000-memory.dmp
          Filesize

          804KB

          Download
        • memory/2324-29-0x0000000000400000-0x000000000045B000-memory.dmp
          Filesize

          364KB

          Download
        • memory/2740-15-0x0000000000400000-0x0000000000490000-memory.dmp
          Filesize

          576KB

          Download
        • memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp
          Filesize

          472KB

          Download
        • memory/2740-20-0x0000000005AA0000-0x0000000005B06000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2740-35-0x00000000068E0000-0x00000000068EA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/5016-31-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/5016-32-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/5016-34-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download