Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
-
Size
949KB
-
MD5
f7978d432d1f4d99ad24568643704f88
-
SHA1
fd86eb0f4a592d6be7200191aaa705592a4f631f
-
SHA256
6d4075cae42df68f5e06799b799c60ecfccff4794277c67b00bc9009b3faf1e4
-
SHA512
3ff3ba2b4c8e6cc282ff79255ec228386e48dc5f7d45208ba30a338992e46a1e72afc7d3f96d1b61ac4cbdbb8687f646cfdb95394873135386ca4f7dab38305b
-
SSDEEP
12288:knWwI/AJjDTKTCGlZBBx1Vtl9Hx2hsAuyLdyrUNzYweqNoCoOL2VjA05e/hMXRY6:kWwZxKGon31Vtl3OsnWbu4plkPcYxG
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp Nirsoft -
Processes:
resource yara_rule behavioral2/memory/2468-10-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp WebBrowserPassView -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4196-6-0x0000000004C50000-0x0000000004C6A000-memory.dmp agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 44 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exedescription pid process target process PID 4196 set thread context of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exef7978d432d1f4d99ad24568643704f88_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exepid process 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exef7978d432d1f4d99ad24568643704f88_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe Token: SeDebugPrivilege 2468 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exedescription pid process target process PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe PID 4196 wrote to memory of 2468 4196 f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
memory/2468-10-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2468-20-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2468-17-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/2468-16-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2468-14-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmpFilesize
472KB
-
memory/2468-11-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4196-4-0x00000000049E0000-0x00000000049EA000-memory.dmpFilesize
40KB
-
memory/4196-9-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4196-8-0x000000007464E000-0x000000007464F000-memory.dmpFilesize
4KB
-
memory/4196-7-0x0000000004F70000-0x000000000500C000-memory.dmpFilesize
624KB
-
memory/4196-6-0x0000000004C50000-0x0000000004C6A000-memory.dmpFilesize
104KB
-
memory/4196-5-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4196-15-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4196-0-0x000000007464E000-0x000000007464F000-memory.dmpFilesize
4KB
-
memory/4196-3-0x0000000004A60000-0x0000000004AF2000-memory.dmpFilesize
584KB
-
memory/4196-2-0x0000000005010000-0x00000000055B4000-memory.dmpFilesize
5.6MB
-
memory/4196-1-0x0000000000080000-0x0000000000174000-memory.dmpFilesize
976KB