General
-
Target
31fff390b4cc19f4ca8d02f144a83b57_JaffaCakes118
-
Size
1.7MB
-
Sample
241010-1z9pjsvamm
-
MD5
31fff390b4cc19f4ca8d02f144a83b57
-
SHA1
acb9c42c46abf42d45e05625ccd398a44a114d7b
-
SHA256
a6b6337806bf52b04474c98ed8b0051d8b1949c11755966d233bf60854505583
-
SHA512
9383ec427243058b82fffda7e4f9ec733cb9baae06cb6aafa97a66aa39c65454c423a33e65a265127eb2c6fa3d4c0cbeae3e3fc8b379ab4a1f0806ac5c7ecf14
-
SSDEEP
24576:FbpadCJ8XnNbXUMCDouesiqN4AiJB3g791v4QDhlnOBvBO:RpadCJNbPiJBI94QDhlK5O
Malware Config
Targets
-
-
Target
31fff390b4cc19f4ca8d02f144a83b57_JaffaCakes118
-
Size
1.7MB
-
MD5
31fff390b4cc19f4ca8d02f144a83b57
-
SHA1
acb9c42c46abf42d45e05625ccd398a44a114d7b
-
SHA256
a6b6337806bf52b04474c98ed8b0051d8b1949c11755966d233bf60854505583
-
SHA512
9383ec427243058b82fffda7e4f9ec733cb9baae06cb6aafa97a66aa39c65454c423a33e65a265127eb2c6fa3d4c0cbeae3e3fc8b379ab4a1f0806ac5c7ecf14
-
SSDEEP
24576:FbpadCJ8XnNbXUMCDouesiqN4AiJB3g791v4QDhlnOBvBO:RpadCJNbPiJBI94QDhlK5O
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
System Binary Proxy Execution: InstallUtil
Abuse InstallUtil to proxy execution of malicious code.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-