Overview

overview

10

Static

static

3

1e95e087dd...18.exe

windows7-x64

10

1e95e087dd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e95e087ddc336bc8cc038866c629537_JaffaCakes118.exe

  • Size

    411KB

  • MD5

    1e95e087ddc336bc8cc038866c629537

  • SHA1

    68ff0f62b626aae7f11d5a1d7e2f7906cbe1a606

  • SHA256

    567b94bcdaea498b72ea3b4193d16a0eeb6807a02fefe59b9b87d0ae03d8dcd4

  • SHA512

    5e999094124243fccb6ed9f4eda9df203e527ca48c6d01126258b16c9f9b2546e6e4bb9a89db6b8e49cab71f3ec8625e42d2f3245603d0e3229df6b766ce0c15

  • SSDEEP

    12288:nPCNpaWbDrPHwfoXjRrPzD1lbMoKGRtq:Pd+8Uj5PnjbMoKD

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e95e087ddc336bc8cc038866c629537_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e95e087ddc336bc8cc038866c629537_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            5⤵
            • Delays execution with timeout.exe
            PID:1568
      • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
        "C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
          "C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1088
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3628
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4576
              • C:\Windows\SysWOW64\timeout.exe
                timeout 5
                7⤵
                • Delays execution with timeout.exe
                PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    84B

    MD5

    078e9b825edb16211e11ff0e179170a8

    SHA1

    7471ae7132b9ac5aa62fe72c0ed548945683696a

    SHA256

    84c4f91eb41a51fa78b1ad5ca8913d9c074d0416967bf035c731f3a4908bfd16

    SHA512

    d09f30744b4f513846a6e964de3a12c408d98c8bf98977f04b68082d83ea2566162756a36f54c8500f27ee9deddd2bb3aa91ea54076e83fba7a70efc058383a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
    Filesize

    39KB

    MD5

    38abcaec6ee62213f90b1717d830a1bb

    SHA1

    d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9

    SHA256

    6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768

    SHA512

    77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    411KB

    MD5

    1e95e087ddc336bc8cc038866c629537

    SHA1

    68ff0f62b626aae7f11d5a1d7e2f7906cbe1a606

    SHA256

    567b94bcdaea498b72ea3b4193d16a0eeb6807a02fefe59b9b87d0ae03d8dcd4

    SHA512

    5e999094124243fccb6ed9f4eda9df203e527ca48c6d01126258b16c9f9b2546e6e4bb9a89db6b8e49cab71f3ec8625e42d2f3245603d0e3229df6b766ce0c15

    Download Submit

  • C:\Users\Admin\AppData\Roaming\chrtmp
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/2716-22-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2716-24-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3628-42-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4000-14-0x0000000074D10000-0x00000000752C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4000-15-0x0000000074D10000-0x00000000752C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4000-16-0x0000000074D10000-0x00000000752C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4000-46-0x0000000074D10000-0x00000000752C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4920-13-0x0000000074D10000-0x00000000752C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4920-0-0x0000000074D12000-0x0000000074D13000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4920-2-0x0000000074D10000-0x00000000752C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4920-1-0x0000000074D10000-0x00000000752C1000-memory.dmp

    Filesize

    5.7MB

    Download