Overview

overview

10

Static

static

3

e3666ecb82...18.exe

windows7-x64

10

e3666ecb82...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 21:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    e3666ecb82584556a39520ea0e788ccc

  • SHA1

    5ef3da4d7acf44376974b903cc50b28763ab9cb7

  • SHA256

    ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8

  • SHA512

    39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42

  • SSDEEP

    12288:DztihczmWgIXa7zeOnMcZ8xIrTalRi5HZMBp+Q4Azten/ibDAPpSNGYcycs9ozpd:DoIK/n9DTalRibMBp+Q4Aen/G

Score
10/10
hawkeye_rebornm00nd3v_loggerdiscoveryinfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • M00nD3v Logger payload 10 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe" -n
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.lnk" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.lnk" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2208
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:444
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1040
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:980

Network

  • flag-us
    DNS
    bot.whatismyipaddress.com
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    bot.whatismyipaddress.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    bot.whatismyipaddress.com
    dns
    MSBuild.exe
    71 B
     130 B
     1
    1

    DNS Request

    bot.whatismyipaddress.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe
    Filesize

    1.0MB

    MD5

    e3666ecb82584556a39520ea0e788ccc

    SHA1

    5ef3da4d7acf44376974b903cc50b28763ab9cb7

    SHA256

    ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8

    SHA512

    39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42

    Download Submit

  • memory/1508-85-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-30-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1656-34-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1656-35-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1656-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-33-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1656-26-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1656-28-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1656-24-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2672-3-0x00000000047A0000-0x000000000484A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2672-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2672-14-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2672-2-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2672-1-0x0000000010150000-0x0000000010258000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2700-21-0x0000000000720000-0x000000000073A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2700-22-0x0000000000720000-0x0000000000734000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2700-17-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2700-15-0x0000000010C90000-0x0000000010D98000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2700-16-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2700-58-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2700-57-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2912-55-0x0000000000110000-0x00000000001A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2912-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2912-40-0x0000000000110000-0x00000000001A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2912-51-0x0000000000110000-0x00000000001A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2912-42-0x0000000000110000-0x00000000001A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2912-56-0x0000000001E90000-0x0000000001F06000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2912-44-0x0000000000110000-0x00000000001A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2912-47-0x0000000000110000-0x00000000001A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2912-38-0x0000000000110000-0x00000000001A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/3008-151-0x0000000000080000-0x0000000000110000-memory.dmp

    Filesize

    576KB

    Download

  • memory/3060-74-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/3060-70-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3060-72-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/3060-71-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.