Extracted

• • Target

    e3666ecb82584556a39520ea0e788ccc_JaffaCakes118

  • Size

    1.0MB

  • MD5

    e3666ecb82584556a39520ea0e788ccc

  • SHA1

    5ef3da4d7acf44376974b903cc50b28763ab9cb7

  • SHA256

    ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8

  • SHA512

    39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42

  • SSDEEP

    12288:DztihczmWgIXa7zeOnMcZ8xIrTalRi5HZMBp+Q4Azten/ibDAPpSNGYcycs9ozpd:DoIK/n9DTalRibMBp+Q4Aen/G

  Score

  10^/10

  hawkeye_rebornm00nd3v_loggerdiscoveryinfostealerkeyloggerpersistencespywarestealertrojan

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • M00nD3v Logger payload

    Detects M00nD3v Logger payload in memory.

    infostealer

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2