Extracted

• • Target

    c98606804d45d585bef9fdb0ab5b4559_JaffaCakes118

  • Size

    767KB

  • MD5

    c98606804d45d585bef9fdb0ab5b4559

  • SHA1

    ccdf291cb2ffa5b50b8ca955ee57d1928177b978

  • SHA256

    bd65d6502c07617a523a8ae4c4d7c1acac17edde43cfc9bf8a24c1e814a6f12a

  • SHA512

    0de7032151b00c79caad7fb9013db45fa542fdcb8f8b6472124b30e3efb7e526ff18e911665c22396fb6c4e7c0cf97abff44d76a82401c82d38e6aa3e01a9b8d

  • SSDEEP

    12288:ecAOmcayxcxa1nmK/T76+IDmS3j5ByUs7yIMmI/Jhma8EAKonSiibwwk0v1VQj:eRKJ5maiDm4j5G7EmI/JhJ8ji0RuVQ

  Score

  10^/10

  hawkeye_rebornm00nd3v_loggeragilenetdiscoveryinfostealerkeyloggerpersistencespywarestealertrojan

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • M00nD3v Logger payload

    Detects M00nD3v Logger payload in memory.

    infostealer

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2