Overview

overview

10

Static

static

3

dca096179c...18.exe

windows7-x64

10

dca096179c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dca096179c1256a5c48cc8c186ae0220_JaffaCakes118

  • Size

    987KB

  • Sample

    240912-t555zstfqq

  • MD5

    dca096179c1256a5c48cc8c186ae0220

  • SHA1

    3da93b69882afe8aae7ed2a3e821969b658988f5

  • SHA256

    11204b672adbb37a18c65e284229c0f15d98100c8d530d93bc2aa46913373e5c

  • SHA512

    0d4845a3c5d5593f2296b50a056313c8b8aa9cdb849a424c01be55265328599b346f130c19ef4e82fb03afbcdc7648d9a860a84da2a8b845927d830c5d379cab

  • SSDEEP

    24576:GQERRRRRRRRRRRRRRRRRRRRtbperrOUj6k7ZqC301+jTMoKF4LnRwAjfhd1KY9ae:GQERRRRRRRRRRRRRRRRRRRRtFk7ZxFj3

Score
10/10
hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      dca096179c1256a5c48cc8c186ae0220_JaffaCakes118

    • Size

      987KB

    • MD5

      dca096179c1256a5c48cc8c186ae0220

    • SHA1

      3da93b69882afe8aae7ed2a3e821969b658988f5

    • SHA256

      11204b672adbb37a18c65e284229c0f15d98100c8d530d93bc2aa46913373e5c

    • SHA512

      0d4845a3c5d5593f2296b50a056313c8b8aa9cdb849a424c01be55265328599b346f130c19ef4e82fb03afbcdc7648d9a860a84da2a8b845927d830c5d379cab

    • SSDEEP

      24576:GQERRRRRRRRRRRRRRRRRRRRtbperrOUj6k7ZqC301+jTMoKF4LnRwAjfhd1KY9ae:GQERRRRRRRRRRRRRRRRRRRRtFk7ZxFj3

    Score
    10/10
    hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks