General
-
Target
e3666ecb82584556a39520ea0e788ccc_JaffaCakes118
-
Size
1.0MB
-
Sample
240915-1ejmmathmq
-
MD5
e3666ecb82584556a39520ea0e788ccc
-
SHA1
5ef3da4d7acf44376974b903cc50b28763ab9cb7
-
SHA256
ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8
-
SHA512
39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42
-
SSDEEP
12288:DztihczmWgIXa7zeOnMcZ8xIrTalRi5HZMBp+Q4Azten/ibDAPpSNGYcycs9ozpd:DoIK/n9DTalRibMBp+Q4Aen/G
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Targets
-
-
Target
e3666ecb82584556a39520ea0e788ccc_JaffaCakes118
-
Size
1.0MB
-
MD5
e3666ecb82584556a39520ea0e788ccc
-
SHA1
5ef3da4d7acf44376974b903cc50b28763ab9cb7
-
SHA256
ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8
-
SHA512
39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42
-
SSDEEP
12288:DztihczmWgIXa7zeOnMcZ8xIrTalRi5HZMBp+Q4Azten/ibDAPpSNGYcycs9ozpd:DoIK/n9DTalRibMBp+Q4Aen/G
Score10/10-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
M00nD3v Logger payload
Detects M00nD3v Logger payload in memory.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-