Overview

overview

10

Static

static

7

202f882a46...18.exe

windows7-x64

10

202f882a46...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 17:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202f882a46b4f95ef5b3c161fdb00f06_JaffaCakes118.exe

  • Size

    884KB

  • MD5

    202f882a46b4f95ef5b3c161fdb00f06

  • SHA1

    162181178d2f5a3d453e70bf1a369eedd89f103c

  • SHA256

    62e5f86d7df3d239abf531c4f14b5f6e486c34a866e80603b43aa925f8910f75

  • SHA512

    efbd3a74b355a9c7b02a169fd950686a1dafa3e8db5122b6787a65118fe77452d3b3aadc1634ab7a71eb0aa444187694f6000365ab02cbb893c25c330584e80a

  • SSDEEP

    12288:pYV6MorX7qzuC3QHO9FQVHPF51jgcgM751HzqhodTWjaX2IOXF3pWzEXVzJhCWQH:eBXu9HGaVHbHHWaXxQ1pWgZJAnRzl

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @Rocking11.

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Drops startup file 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202f882a46b4f95ef5b3c161fdb00f06_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\202f882a46b4f95ef5b3c161fdb00f06_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:2732
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:1888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab72C2.tmp
      Filesize

      67KB

      MD5

      2d3dcf90f6c99f47e7593ea250c9e749

      SHA1

      51be82be4a272669983313565b4940d4b1385237

      SHA256

      8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

      SHA512

      9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • memory/1084-25-0x0000000074490000-0x0000000074A3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1084-7-0x0000000000090000-0x0000000000114000-memory.dmp

      Filesize

      528KB

      Download

    • memory/1084-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1084-40-0x0000000074490000-0x0000000074A3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1084-15-0x0000000000090000-0x0000000000114000-memory.dmp

      Filesize

      528KB

      Download

    • memory/1084-9-0x0000000000090000-0x0000000000114000-memory.dmp

      Filesize

      528KB

      Download

    • memory/1084-16-0x0000000000090000-0x0000000000114000-memory.dmp

      Filesize

      528KB

      Download

    • memory/1084-19-0x0000000074492000-0x0000000074494000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1084-39-0x0000000074492000-0x0000000074494000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1888-31-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1888-32-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1888-33-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1888-38-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2732-26-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2732-27-0x0000000000420000-0x00000000005A1000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2732-29-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2732-24-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2732-22-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2852-0-0x0000000000CE0000-0x0000000000EC5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2852-18-0x0000000000CE0000-0x0000000000EC5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2852-6-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download