Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2024, 04:46 UTC

General

  • Target

    f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe

  • Size

    949KB

  • MD5

    f7978d432d1f4d99ad24568643704f88

  • SHA1

    fd86eb0f4a592d6be7200191aaa705592a4f631f

  • SHA256

    6d4075cae42df68f5e06799b799c60ecfccff4794277c67b00bc9009b3faf1e4

  • SHA512

    3ff3ba2b4c8e6cc282ff79255ec228386e48dc5f7d45208ba30a338992e46a1e72afc7d3f96d1b61ac4cbdbb8687f646cfdb95394873135386ca4f7dab38305b

  • SSDEEP

    12288:knWwI/AJjDTKTCGlZBBx1Vtl9Hx2hsAuyLdyrUNzYweqNoCoOL2VjA05e/hMXRY6:kWwZxKGon31Vtl3OsnWbu4plkPcYxG

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2468

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bot.whatismyipaddress.com
    f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    bot.whatismyipaddress.com
    IN A
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.111.229.43:443
    322 B
    7
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    bot.whatismyipaddress.com
    dns
    f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
    71 B
    130 B
    1
    1

    DNS Request

    bot.whatismyipaddress.com

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe.log

    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

  • memory/2468-10-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

  • memory/2468-20-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

  • memory/2468-17-0x00000000052F0000-0x0000000005356000-memory.dmp

    Filesize

    408KB

  • memory/2468-16-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

  • memory/2468-14-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

  • memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp

    Filesize

    472KB

  • memory/2468-11-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4196-4-0x00000000049E0000-0x00000000049EA000-memory.dmp

    Filesize

    40KB

  • memory/4196-9-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4196-8-0x000000007464E000-0x000000007464F000-memory.dmp

    Filesize

    4KB

  • memory/4196-7-0x0000000004F70000-0x000000000500C000-memory.dmp

    Filesize

    624KB

  • memory/4196-6-0x0000000004C50000-0x0000000004C6A000-memory.dmp

    Filesize

    104KB

  • memory/4196-5-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4196-15-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4196-0-0x000000007464E000-0x000000007464F000-memory.dmp

    Filesize

    4KB

  • memory/4196-3-0x0000000004A60000-0x0000000004AF2000-memory.dmp

    Filesize

    584KB

  • memory/4196-2-0x0000000005010000-0x00000000055B4000-memory.dmp

    Filesize

    5.6MB

  • memory/4196-1-0x0000000000080000-0x0000000000174000-memory.dmp

    Filesize

    976KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.