Overview

overview

10

Static

static

9

bdec8865e6...18.exe

windows7-x64

10

bdec8865e6...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bdec8865e624dae2383d2fda11e44078_JaffaCakes118

  • Size

    502KB

  • Sample

    240824-fgc8eawaqr

  • MD5

    bdec8865e624dae2383d2fda11e44078

  • SHA1

    5c01005faaf9a74add894274b58827b73d264d8b

  • SHA256

    a696cac7fa86028b6a11fb1cebc3c2c203818086472511fd9dfa01206b4d8718

  • SHA512

    0ab66a27e866fb35f1e1d319458b2c27676317322c2d33ae4accd251a1033d30d243719228c5e396c7857191d8369166f60b0ff5b70534874735a64a80b0f34f

  • SSDEEP

    6144:OxbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHe:OxQtqB5urTIoYWBQk1E+VF9mOx9q

Score
10/10
hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Myname22

Targets

    • Target

      bdec8865e624dae2383d2fda11e44078_JaffaCakes118

    • Size

      502KB

    • MD5

      bdec8865e624dae2383d2fda11e44078

    • SHA1

      5c01005faaf9a74add894274b58827b73d264d8b

    • SHA256

      a696cac7fa86028b6a11fb1cebc3c2c203818086472511fd9dfa01206b4d8718

    • SHA512

      0ab66a27e866fb35f1e1d319458b2c27676317322c2d33ae4accd251a1033d30d243719228c5e396c7857191d8369166f60b0ff5b70534874735a64a80b0f34f

    • SSDEEP

      6144:OxbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHe:OxQtqB5urTIoYWBQk1E+VF9mOx9q

    Score
    10/10
    hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks