Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 00:55

General

  • Target

    c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe

  • Size

    951KB

  • MD5

    c521f79249320c77b5b20007f871fbb1

  • SHA1

    8b772e27c77fd4880b79fe8466bff21e21e1aa2a

  • SHA256

    2cd607fb44480b61c90e5107a3131231936c99a7b766dbed4df4c6fed325ae0f

  • SHA512

    f471c23576f61e2066e09c44ae3beab374153fdafebfb6cc03e140942c15d3fa273394848dd3a4ba0bd07c7883b678d0d2dcbc1be1ea5a381882b101e55107bb

  • SSDEEP

    24576:9Sr69b1sIzdkdUDuCppG/HNs2HRT3s4ni4gSUf4:B9b1xdySu84lsMRzVniLw

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Hawkeye family
  • Detected Nirsoft tools 16 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 12 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 12 IoCs

    Password recovery tool for various web browsers

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2880
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2936
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf

    Filesize

    76KB

    MD5

    a044a4eaea50ac33f65fd614f4b78509

    SHA1

    f4c1d9a86ee7769492293508f650f67dc3c523f7

    SHA256

    8f9c44049129703f3d6d3beeff6ac8d576df276a56e8f7f85c86beda912ed8c4

    SHA512

    9fbeae185958d0c7868bc21fd08220cc8e1f6aaa6cea14ffbb257a93355ba043e294be25ae40c8f80d75563bdd1f9cec3f29afa944b3cac11664ec4b066822d3

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

    Filesize

    749KB

    MD5

    aa9da8f4f5e434d8449c17efccebef5e

    SHA1

    99487070bb0da9e0c2df138b111e9bebc2a271f2

    SHA256

    16b6bdc384d7b4821d541eb40f1be8c3ca2b027b9a329e77eb4c13800b3e8ec2

    SHA512

    768fb0d93c91ad868f7b2cfc0fc67ce2e20293e40ec1e4216bb805232a2f02cdfd3ec225c29c40bed6c4f505aa35b788f5291661b99d2773c24d395c825ef0cb

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

    Filesize

    104KB

    MD5

    42ccd69a3be9618d329de0ea0fde3a81

    SHA1

    47e9897f303496eb9cd5883f9cdb283b6eee65d3

    SHA256

    14137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef

    SHA512

    33d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

    Filesize

    140KB

    MD5

    bc9932d562808f046db8cf2d225b317e

    SHA1

    50827e282cb74b846b8ef79ccd3f5887e3a941f2

    SHA256

    49a50d91166a62cb0c1454d015af0b5b98ea86702c9e88c21f6e5775517571b7

    SHA512

    d46153b9d0260a076fd6247de14325b2f76d7537139677af927427fab23852258634b525a1e3e31e19456a04a5c58527ac351f44b475c2eb984294b30b0efa22

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • memory/1692-27-0x0000000000300000-0x0000000000400000-memory.dmp

    Filesize

    1024KB

  • memory/1692-31-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-51-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-30-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-36-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-40-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-34-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-37-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-41-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1692-48-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/1692-50-0x0000000000400000-0x0000000004B18000-memory.dmp

    Filesize

    71.1MB

  • memory/2024-80-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2024-86-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2024-77-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2024-78-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2272-54-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2272-23-0x0000000000280000-0x0000000000285000-memory.dmp

    Filesize

    20KB

  • memory/2272-26-0x0000000000310000-0x000000000036C000-memory.dmp

    Filesize

    368KB

  • memory/2272-13-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2516-12-0x0000000000360000-0x00000000003BC000-memory.dmp

    Filesize

    368KB

  • memory/2516-11-0x0000000000360000-0x00000000003BC000-memory.dmp

    Filesize

    368KB

  • memory/2936-70-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2936-71-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2936-73-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2936-76-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB