Overview

overview

10

Static

static

3

ed039c91cb...18.exe

windows7-x64

10

ed039c91cb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe

  • Size

    537KB

  • MD5

    ed039c91cbd802016c0052cfb7c7479a

  • SHA1

    f6b0be96bc72960edac79c3d19202ead6741ea35

  • SHA256

    0dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff

  • SHA512

    a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17

  • SSDEEP

    12288:Q77P4DWh9VWaOP6ExsZzKITASpLpQWBtD:Q778WRTMTsZLE0m

Score
10/10
hawkeyecollectioncredential_accessdiscoveryevasionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    QGDOUOSDWX

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 11 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:60
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log2.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2748
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log3.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4572
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log4.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:1060
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log6.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    84B

    MD5

    f61e7f09c54abfca275c880ef9f02cf2

    SHA1

    eb5ff90abaca78e23927bb97a49d08d470735ba9

    SHA256

    d172047b5d885efac6e42afb61aa218cd0c637d0de9b42b3e8dac385f7419b15

    SHA512

    4db37d26c3642d13ac3f145fe48f010e10ee2ea56602b62be7c756833bd37225416d9145b01515317e22cf97919053f5c5bcb817c5ab58d98b84c086128d5352

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\log.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    537KB

    MD5

    ed039c91cbd802016c0052cfb7c7479a

    SHA1

    f6b0be96bc72960edac79c3d19202ead6741ea35

    SHA256

    0dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff

    SHA512

    a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17

    Download Submit

  • memory/60-28-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/60-31-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/60-33-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/60-35-0x0000000000420000-0x00000000004E9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/60-37-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/460-24-0x0000000074E70000-0x0000000075620000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/460-58-0x0000000006590000-0x00000000065A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/460-68-0x0000000074E70000-0x0000000075620000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/460-66-0x0000000006840000-0x0000000006896000-memory.dmp

    Filesize

    344KB

    Download

  • memory/460-27-0x0000000005650000-0x000000000565A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/460-65-0x00000000061F0000-0x00000000061FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/460-23-0x0000000074E70000-0x0000000075620000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1060-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1060-53-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1060-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1060-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1704-55-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1704-63-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1704-60-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1704-59-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2292-8-0x0000000005B50000-0x0000000005BE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2292-7-0x0000000006020000-0x00000000065C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2292-1-0x0000000000D20000-0x0000000000DAC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2292-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-22-0x0000000074E70000-0x0000000075620000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2292-2-0x0000000005740000-0x00000000057DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2292-3-0x0000000074E70000-0x0000000075620000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2292-6-0x0000000005810000-0x000000000587A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2748-40-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2748-44-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2748-32-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2748-38-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4572-45-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4572-50-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4572-43-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4572-46-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4572-57-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download