Overview

overview

10

Static

static

3

3fecb296c3...18.exe

windows7-x64

10

3fecb296c3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fecb296c3d186fe69f9476863a1aa5f_JaffaCakes118.exe

  • Size

    386KB

  • MD5

    3fecb296c3d186fe69f9476863a1aa5f

  • SHA1

    76f97ccd5f68cb11acc7a1191a3f6076403fb1f6

  • SHA256

    e7765ed8df9ebc5a0132c49856ae1219b390069886042ee0b7265f090b85463b

  • SHA512

    2b1330b23e1a7c587f86054a32f2342e0c4ebc0faac578c49f260a46e43c7e99a7a62e08be6d906b69bf13b0a42c7cf82c42a3dd759417ffdedf8f1d3893baee

  • SSDEEP

    6144:wNrEHrktbqIKN4VAOig/xmrpQBfsvOVPJu7qVTXs/tpupqJ+OoaL1ZRGv:rrGzK4dmr6/VPqqhXsF8g4v

Score
10/10
hawkeyeevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Modifies firewall policy service 3 TTPs 8 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fecb296c3d186fe69f9476863a1aa5f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3fecb296c3d186fe69f9476863a1aa5f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
        3⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2120
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2864
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1796
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Defender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Defender.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Defender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Defender.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    84B

    MD5

    5c5c297371f5c67e89d7754a268f2182

    SHA1

    b402bf83e185660c75d183b396f223a4270df545

    SHA256

    c11ae6b9f880131dceff4acd637241c9ec696a57bd69be8c58bb5f130c46d522

    SHA512

    a98ec19e7640f974ee77c4b5002418bc4d2c088dc0a3e54739201fd98d7e14b445e1f5c574bd20f82e77804aa9a0fbd6b97654407b163d339ed0677862594011

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    386KB

    MD5

    3fecb296c3d186fe69f9476863a1aa5f

    SHA1

    76f97ccd5f68cb11acc7a1191a3f6076403fb1f6

    SHA256

    e7765ed8df9ebc5a0132c49856ae1219b390069886042ee0b7265f090b85463b

    SHA512

    2b1330b23e1a7c587f86054a32f2342e0c4ebc0faac578c49f260a46e43c7e99a7a62e08be6d906b69bf13b0a42c7cf82c42a3dd759417ffdedf8f1d3893baee

    Download Submit

  • memory/2352-0-0x0000000074CC1000-0x0000000074CC2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2352-2-0x0000000074CC0000-0x000000007526B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2352-14-0x0000000074CC0000-0x000000007526B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-15-0x0000000074CC0000-0x000000007526B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-16-0x0000000074CC0000-0x000000007526B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-30-0x0000000074CC0000-0x000000007526B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2744-26-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2744-22-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2744-20-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2744-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-18-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2744-36-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download