Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
-
Size
791KB
-
MD5
bb9949c1dd3457d699def7fd8ac2eb9a
-
SHA1
119f207f2c27cc412fb5df582b7f69ea556f518a
-
SHA256
4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069
-
SHA512
ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a
-
SSDEEP
24576:CI9GDt49nG7Z0q3IvjbWA11OMKMenC2Ovc+:CdtCnIq4snrvbeSE
Malware Config
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
[email protected] - Password:
CONNECT2018
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/2740-15-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp MailPassView behavioral2/memory/5016-31-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5016-32-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5016-34-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp WebBrowserPassView behavioral2/memory/2324-22-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2324-23-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2324-29-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp Nirsoft behavioral2/memory/2324-22-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2324-23-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2324-29-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5016-31-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5016-32-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5016-34-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
start.exestart.exepid process 1940 start.exe 2740 start.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
start.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\start.exe -boot" start.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
start.exestart.exedescription pid process target process PID 1940 set thread context of 2740 1940 start.exe start.exe PID 2740 set thread context of 2324 2740 start.exe vbc.exe PID 2740 set thread context of 5016 2740 start.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exestart.exevbc.exestart.exepid process 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe 1940 start.exe 1940 start.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2324 vbc.exe 2740 start.exe 2740 start.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exestart.exestart.exedescription pid process Token: SeDebugPrivilege 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe Token: SeDebugPrivilege 1940 start.exe Token: SeDebugPrivilege 2740 start.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
start.exepid process 2740 start.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exeexplorer.exestart.exestart.exedescription pid process target process PID 372 wrote to memory of 4144 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe cmd.exe PID 372 wrote to memory of 4144 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe cmd.exe PID 372 wrote to memory of 4144 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe cmd.exe PID 372 wrote to memory of 1248 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe explorer.exe PID 372 wrote to memory of 1248 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe explorer.exe PID 372 wrote to memory of 1248 372 bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe explorer.exe PID 1916 wrote to memory of 1940 1916 explorer.exe start.exe PID 1916 wrote to memory of 1940 1916 explorer.exe start.exe PID 1916 wrote to memory of 1940 1916 explorer.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 1940 wrote to memory of 2740 1940 start.exe start.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 2324 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe PID 2740 wrote to memory of 5016 2740 start.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\start.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\start.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\start.exe"C:\Users\Admin\AppData\Local\start.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\start.exe"C:\Users\Admin\AppData\Local\start.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp263C.tmp"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\start.exe.logFilesize
706B
MD52ef5ef69dadb8865b3d5b58c956077b8
SHA1af2d869bac00685c745652bbd8b3fe82829a8998
SHA256363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3
SHA51266d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3
-
C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmpFilesize
4KB
MD510fa8ec140c204486092fb161e567ec7
SHA14d63e1f8df3afefedb19df73d7ee5f3b1e7b6473
SHA2567176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04
SHA5129db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76
-
C:\Users\Admin\AppData\Local\start.exeFilesize
791KB
MD5bb9949c1dd3457d699def7fd8ac2eb9a
SHA1119f207f2c27cc412fb5df582b7f69ea556f518a
SHA2564aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069
SHA512ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a
-
memory/372-6-0x0000000007D40000-0x0000000007D76000-memory.dmpFilesize
216KB
-
memory/372-1-0x0000000000CF0000-0x0000000000DBE000-memory.dmpFilesize
824KB
-
memory/372-5-0x0000000074DD0000-0x0000000075580000-memory.dmpFilesize
7.7MB
-
memory/372-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmpFilesize
4KB
-
memory/372-7-0x0000000007D70000-0x0000000007D76000-memory.dmpFilesize
24KB
-
memory/372-11-0x0000000074DD0000-0x0000000075580000-memory.dmpFilesize
7.7MB
-
memory/372-3-0x00000000082F0000-0x0000000008894000-memory.dmpFilesize
5.6MB
-
memory/372-4-0x0000000007DE0000-0x0000000007E72000-memory.dmpFilesize
584KB
-
memory/372-2-0x0000000007C40000-0x0000000007D36000-memory.dmpFilesize
984KB
-
memory/1940-14-0x00000000052A0000-0x000000000533C000-memory.dmpFilesize
624KB
-
memory/2324-22-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2324-23-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2324-28-0x0000000000460000-0x0000000000529000-memory.dmpFilesize
804KB
-
memory/2324-29-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2740-15-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmpFilesize
472KB
-
memory/2740-20-0x0000000005AA0000-0x0000000005B06000-memory.dmpFilesize
408KB
-
memory/2740-35-0x00000000068E0000-0x00000000068EA000-memory.dmpFilesize
40KB
-
memory/5016-31-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5016-32-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5016-34-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB