Malware Analysis Report

2024-09-22 10:48

Sample ID 240712-htye8ashqr
Target 3c66b48677763dc430eab0ff520ea994_JaffaCakes118
SHA256 8b3ace7bcab1a2f43c113d28589fae793f42e08c11f83c7c1d5d9b25b3453cbd
Tags
hawkeye keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b3ace7bcab1a2f43c113d28589fae793f42e08c11f83c7c1d5d9b25b3453cbd

Threat Level: Known bad

The file 3c66b48677763dc430eab0ff520ea994_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger spyware stealer trojan

HawkEye

Deletes itself

Reads data files stored by FTP clients

Reads local data of messenger clients

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-12 07:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 07:02

Reported

2024-07-12 07:04

Platform

win7-20240705-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
File opened for modification C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.gmail.com udp
NL 142.250.102.108:587 smtp.gmail.com tcp
NL 142.250.102.108:587 smtp.gmail.com tcp

Files

memory/2400-0-0x000007FEF698E000-0x000007FEF698F000-memory.dmp

memory/2400-1-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 3c66b48677763dc430eab0ff520ea994
SHA1 943fcdb5200cf00741556744e052923d6c2211eb
SHA256 8b3ace7bcab1a2f43c113d28589fae793f42e08c11f83c7c1d5d9b25b3453cbd
SHA512 395a4308343e27311db4fb8b8849a5cd8b4ed761f56eff09a3c300b6772f09923ca106bddbe27c1fdb35c3aaf7dc2c5478a4cfe035ce55d391a6ba15e272c342

memory/2400-10-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-11-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-9-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/2400-7-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 021defbbbdc6be30f5d0d09dd3298b69
SHA1 a67a796ea5be566a2fc29dda6f43aea254630888
SHA256 f962c3155271ed48f41467d59193723c13ac2e76068736b84d2c5bf201c10829
SHA512 318c9d6a6d4254175832278fd64c7e12285b21a6ab73e6a9ead1d5345d05a8e97f9023b8bdad98945ce17d9b4b1a94d827049b154c0f54ff3d7661c5675c1ad1

memory/3056-15-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-16-0x0000000000B60000-0x0000000000B82000-memory.dmp

memory/3056-17-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-18-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-20-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-21-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-22-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

memory/3056-23-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 07:02

Reported

2024-07-12 07:04

Platform

win10v2004-20240709-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
File created C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 smtp.gmail.com udp
NL 142.250.102.109:587 smtp.gmail.com tcp
US 8.8.8.8:53 109.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
NL 142.250.102.109:587 smtp.gmail.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1668-0-0x00007FFC601C5000-0x00007FFC601C6000-memory.dmp

memory/1668-2-0x000000001C4A0000-0x000000001C96E000-memory.dmp

memory/1668-1-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

memory/1668-3-0x000000001CA20000-0x000000001CAC6000-memory.dmp

memory/1668-4-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 3c66b48677763dc430eab0ff520ea994
SHA1 943fcdb5200cf00741556744e052923d6c2211eb
SHA256 8b3ace7bcab1a2f43c113d28589fae793f42e08c11f83c7c1d5d9b25b3453cbd
SHA512 395a4308343e27311db4fb8b8849a5cd8b4ed761f56eff09a3c300b6772f09923ca106bddbe27c1fdb35c3aaf7dc2c5478a4cfe035ce55d391a6ba15e272c342

memory/1668-18-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

memory/1296-19-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

memory/1296-20-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

memory/1296-21-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 021defbbbdc6be30f5d0d09dd3298b69
SHA1 a67a796ea5be566a2fc29dda6f43aea254630888
SHA256 f962c3155271ed48f41467d59193723c13ac2e76068736b84d2c5bf201c10829
SHA512 318c9d6a6d4254175832278fd64c7e12285b21a6ab73e6a9ead1d5345d05a8e97f9023b8bdad98945ce17d9b4b1a94d827049b154c0f54ff3d7661c5675c1ad1

memory/1296-23-0x000000001C3F0000-0x000000001C452000-memory.dmp

memory/1296-26-0x000000001CB10000-0x000000001CBAC000-memory.dmp

memory/1296-27-0x000000001CAB0000-0x000000001CAD2000-memory.dmp

memory/1296-28-0x000000001CF10000-0x000000001CF18000-memory.dmp

memory/1296-29-0x000000001CE60000-0x000000001CEAC000-memory.dmp

memory/1296-30-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

memory/1296-31-0x00000000201C0000-0x00000000204CE000-memory.dmp

memory/1296-33-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp

memory/1296-34-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp