Overview

overview

10

Static

static

3

51de2b9486...18.exe

windows7-x64

10

51de2b9486...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe

  • Size

    608KB

  • MD5

    51de2b9486f0b8fc4406ac8956a4da2b

  • SHA1

    f78be95c8e26a707b927823a0ef6c006e680a22d

  • SHA256

    481e617bf801b26b6fb8edc67ea637b1e9db954c0ee673e9a2bce0071768b929

  • SHA512

    990a9b4ae0dabccb5d94a917da6034a7b23f22173b2fe2c651227f58a31ed3141f112b8b5c3dc30e1ee341c3db3736b947e84d884e95e3dd1953a9d3f9fd1078

  • SSDEEP

    12288:F3Mhue1faMKxXFuK1dCZZ8/Ob6M4gcGrcFyYgWR5:F3RIaxXFuK18Jb6ZSrcs

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 1500
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2440-0-0x00007FFE29255000-0x00007FFE29256000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2440-1-0x00007FFE28FA0000-0x00007FFE29941000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2440-2-0x000000001C130000-0x000000001C5FE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2440-3-0x000000001C6B0000-0x000000001C756000-memory.dmp

    Filesize

    664KB

    Download

  • memory/2440-4-0x000000001C760000-0x000000001C7E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2440-5-0x000000001CBD0000-0x000000001CC6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2440-7-0x00007FFE28FA0000-0x00007FFE29941000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2440-6-0x000000001C7F0000-0x000000001C7F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2440-16-0x00007FFE28FA0000-0x00007FFE29941000-memory.dmp

    Filesize

    9.6MB

    Download