Overview

overview

10

Static

static

3

3993696c0c...18.exe

windows7-x64

10

3993696c0c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3993696c0cc918c566ad9c89b5be2593_JaffaCakes118

  • Size

    262KB

  • Sample

    240711-r757natcrg

  • MD5

    3993696c0cc918c566ad9c89b5be2593

  • SHA1

    c119e09a1ab2a2d5aeccc588d0406a4ee5f16f7a

  • SHA256

    7c4bf29e8ed9f775fb2420ca56883196935cd0b6f4ccee62058818034caf8c96

  • SHA512

    9b0d289c69c9d4e93779d1b82e9442f851e1ca2f2fd73e25192c6944cf5f52321509fe9f07553808a59bef5a2c851c384057d3b206045090ffef6b632d129ca5

  • SSDEEP

    6144:tJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtH0:fOJcsgHoRIDCzc

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    themomentoftruth

Targets

    • Target

      3993696c0cc918c566ad9c89b5be2593_JaffaCakes118

    • Size

      262KB

    • MD5

      3993696c0cc918c566ad9c89b5be2593

    • SHA1

      c119e09a1ab2a2d5aeccc588d0406a4ee5f16f7a

    • SHA256

      7c4bf29e8ed9f775fb2420ca56883196935cd0b6f4ccee62058818034caf8c96

    • SHA512

      9b0d289c69c9d4e93779d1b82e9442f851e1ca2f2fd73e25192c6944cf5f52321509fe9f07553808a59bef5a2c851c384057d3b206045090ffef6b632d129ca5

    • SSDEEP

      6144:tJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtH0:fOJcsgHoRIDCzc

    Score
    10/10
    hawkeyekeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks