Overview

overview

10

Static

static

3

ed039c91cb...18.exe

windows7-x64

10

ed039c91cb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe

  • Size

    537KB

  • MD5

    ed039c91cbd802016c0052cfb7c7479a

  • SHA1

    f6b0be96bc72960edac79c3d19202ead6741ea35

  • SHA256

    0dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff

  • SHA512

    a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17

  • SSDEEP

    12288:Q77P4DWh9VWaOP6ExsZzKITASpLpQWBtD:Q778WRTMTsZLE0m

Score
10/10
hawkeyecollectioncredential_accessdiscoveryevasionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    QGDOUOSDWX

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 12 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2008
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log2.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2828
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log3.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:596
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log4.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:688
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log6.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    84B

    MD5

    f61e7f09c54abfca275c880ef9f02cf2

    SHA1

    eb5ff90abaca78e23927bb97a49d08d470735ba9

    SHA256

    d172047b5d885efac6e42afb61aa218cd0c637d0de9b42b3e8dac385f7419b15

    SHA512

    4db37d26c3642d13ac3f145fe48f010e10ee2ea56602b62be7c756833bd37225416d9145b01515317e22cf97919053f5c5bcb817c5ab58d98b84c086128d5352

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\log.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    537KB

    MD5

    ed039c91cbd802016c0052cfb7c7479a

    SHA1

    f6b0be96bc72960edac79c3d19202ead6741ea35

    SHA256

    0dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff

    SHA512

    a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17

    Download Submit

  • memory/596-38-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/596-39-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/596-42-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/596-36-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/596-37-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/688-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/688-59-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/688-43-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/688-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/688-52-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1320-46-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1320-51-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1320-47-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1320-48-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2008-23-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2008-24-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2008-26-0x0000000000420000-0x0000000000487000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2008-28-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2008-21-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2816-0-0x000000007454E000-0x000000007454F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2816-14-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2816-5-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2816-4-0x0000000000AC0000-0x0000000000B2A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2816-1-0x0000000001060000-0x00000000010EC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2828-30-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2828-31-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2828-35-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2828-29-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2836-53-0x00000000003C0000-0x00000000003D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2836-20-0x0000000000300000-0x000000000030A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2836-15-0x0000000001100000-0x000000000118C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2836-55-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-16-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-17-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

    Download