Overview

overview

10

Static

static

5

Confirmation.exe

windows7-x64

10

Confirmation.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7e32a3349de8ff0b55924eb490c80185_JaffaCakes118

  • Size

    1.0MB

  • Sample

    241030-g8bz4aybpm

  • MD5

    7e32a3349de8ff0b55924eb490c80185

  • SHA1

    b5deb806bfc4231548491d2dede88be9fc2c0b6b

  • SHA256

    f4489bdb9e046c8ad572f90ef272f25305ceb36a84a7507fa1dd4e4aca90a564

  • SHA512

    bb7282474f1777fd4341d458f76930881756ed9f9acc29de864286038e9d00acce28365a7845369524558f73829b38ba4fd7c736a1d0f71ec506aaa71d0059ba

  • SSDEEP

    24576:/AiNLEMb/abVoxBjKB6ukcWBE4FvHdU8ylbK/r/:/AB0yYBe6ukDEEvHXylG/r/

Score
10/10
hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojanupx

Malware Config

Targets

    • Target

      Confirmation.exe

    • Size

      1.0MB

    • MD5

      c1770203c545b2bcfe82cb117b398a5f

    • SHA1

      4dc20a479217c8f93764e46a4475bda162b3e4ba

    • SHA256

      e0febedda6f3a66c50558d4ed1fc267fc2dcfcb1f828ea30793ad5189df5e093

    • SHA512

      e93b2c552a3b423f6d06136ccef9aee2b66fefb24424049996c193cb157d1a204ca11555be5fb8450d915ea4ae0c7c96ccd8c98a9e9fe5c56d9369ff396d02df

    • SSDEEP

      24576:O3msSKhttyzWFKhIX6QKyerEGP/imH9rtqTWpvHLXo2:ezFht7pKTpEkZdrta2D1

    Score
    10/10
    hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojanupx

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Hawkeye family

      hawkeye

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks