Malware Analysis Report

2024-09-22 10:48

Sample ID 240727-fcqypsyakj
Target 7717f4dc57fe4ba6ff71c5404318b6b0_JaffaCakes118
SHA256 93b304f118709f87fc7233fea68eeb6471d4eb5bb2c2d81684e1fea1a03e82cf
Tags
discovery hawkeye credential_access keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93b304f118709f87fc7233fea68eeb6471d4eb5bb2c2d81684e1fea1a03e82cf

Threat Level: Known bad

The file 7717f4dc57fe4ba6ff71c5404318b6b0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery hawkeye credential_access keylogger spyware stealer trojan

HawkEye

Credentials from Password Stores: Credentials from Web Browsers

Drops file in Drivers directory

Checks computer location settings

Reads local data of messenger clients

Reads data files stored by FTP clients

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Deletes itself

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-27 04:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 04:43

Reported

2024-07-30 06:24

Platform

win7-20240708-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe"

Network

N/A

Files

memory/2308-0-0x0000000000B80000-0x00000000011C4000-memory.dmp

memory/2308-1-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2308-2-0x00000000740EE000-0x00000000740EF000-memory.dmp

memory/2308-3-0x0000000000B80000-0x00000000011C4000-memory.dmp

memory/2308-4-0x0000000000B80000-0x00000000011C4000-memory.dmp

memory/2308-5-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/2308-6-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/2308-8-0x0000000000B80000-0x00000000011C4000-memory.dmp

memory/2308-10-0x00000000740EE000-0x00000000740EF000-memory.dmp

memory/2308-11-0x00000000740E0000-0x00000000747CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 04:43

Reported

2024-07-30 06:24

Platform

win10v2004-20240709-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/856-0-0x0000000000090000-0x00000000006D4000-memory.dmp

memory/856-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/856-2-0x000000007421E000-0x000000007421F000-memory.dmp

memory/856-3-0x0000000000090000-0x00000000006D4000-memory.dmp

memory/856-4-0x0000000000090000-0x00000000006D4000-memory.dmp

memory/856-5-0x0000000006510000-0x00000000065AC000-memory.dmp

memory/856-6-0x0000000006B60000-0x0000000007104000-memory.dmp

memory/856-7-0x0000000006750000-0x00000000067E2000-memory.dmp

memory/856-10-0x0000000074210000-0x00000000749C0000-memory.dmp

memory/856-9-0x00000000067F0000-0x0000000006846000-memory.dmp

memory/856-8-0x00000000064E0000-0x00000000064EA000-memory.dmp

memory/856-11-0x0000000074210000-0x00000000749C0000-memory.dmp

memory/856-13-0x0000000000090000-0x00000000006D4000-memory.dmp

memory/856-15-0x000000007421E000-0x000000007421F000-memory.dmp

memory/856-16-0x0000000074210000-0x00000000749C0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-27 04:43

Reported

2024-07-30 06:24

Platform

win7-20240704-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Drivers\etc\hosts C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.gmail.com udp
IE 74.125.193.109:587 smtp.gmail.com tcp
IE 74.125.193.109:587 smtp.gmail.com tcp

Files

memory/3064-0-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 6c4e602268e4b8bd575b7db917e48831
SHA1 870ff297863a9248b5a12339a38328eed6390d13
SHA256 26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740
SHA512 b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e

memory/3064-7-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/3064-8-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-9-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-10-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/3064-11-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 c356a02c7f1a1918794aef71af9b4b2c
SHA1 6de454586b976a4adafb43de81fe706b0b93a949
SHA256 fae91d54033d51368550f98b10bf7ffc6c54db3a7c2a09c735a3b41f017fd2e7
SHA512 a1c388cc46b6a656f8e116d99568c117279dfb96c322ddaafb4a0a4bb5b9dd208e7fb8a9815c85d1aa988702ccfba419fd5d566f1aa500a486a2fe6e25fc1d5f

memory/2276-13-0x0000000000A10000-0x0000000000A38000-memory.dmp

memory/2276-14-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-15-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-16-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-20-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-21-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-22-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-23-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-24-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2276-25-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-27 04:43

Reported

2024-07-30 06:24

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Drivers\etc\hosts C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe

"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 smtp.gmail.com udp
IE 74.125.193.109:587 smtp.gmail.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 109.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
IE 74.125.193.109:587 smtp.gmail.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2620-0-0x00007FFB90155000-0x00007FFB90156000-memory.dmp

memory/2620-1-0x000000001C210000-0x000000001C6DE000-memory.dmp

memory/2620-2-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/2620-3-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/2620-4-0x000000001C7D0000-0x000000001C876000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 6c4e602268e4b8bd575b7db917e48831
SHA1 870ff297863a9248b5a12339a38328eed6390d13
SHA256 26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740
SHA512 b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e

memory/2620-18-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/1052-19-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/1052-20-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/1052-21-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 c356a02c7f1a1918794aef71af9b4b2c
SHA1 6de454586b976a4adafb43de81fe706b0b93a949
SHA256 fae91d54033d51368550f98b10bf7ffc6c54db3a7c2a09c735a3b41f017fd2e7
SHA512 a1c388cc46b6a656f8e116d99568c117279dfb96c322ddaafb4a0a4bb5b9dd208e7fb8a9815c85d1aa988702ccfba419fd5d566f1aa500a486a2fe6e25fc1d5f

memory/1052-23-0x000000001C7B0000-0x000000001C812000-memory.dmp

memory/1052-24-0x000000001CF60000-0x000000001CFFC000-memory.dmp

memory/1052-25-0x000000001C710000-0x000000001C738000-memory.dmp

memory/1052-27-0x000000001D4C0000-0x000000001D50C000-memory.dmp

memory/1052-26-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

memory/1052-28-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/1052-29-0x000000001FD00000-0x000000002000E000-memory.dmp

memory/1052-30-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/1052-34-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/1052-35-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

memory/1052-36-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp