Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe
-
Size
951KB
-
MD5
c521f79249320c77b5b20007f871fbb1
-
SHA1
8b772e27c77fd4880b79fe8466bff21e21e1aa2a
-
SHA256
2cd607fb44480b61c90e5107a3131231936c99a7b766dbed4df4c6fed325ae0f
-
SHA512
f471c23576f61e2066e09c44ae3beab374153fdafebfb6cc03e140942c15d3fa273394848dd3a4ba0bd07c7883b678d0d2dcbc1be1ea5a381882b101e55107bb
-
SSDEEP
24576:9Sr69b1sIzdkdUDuCppG/HNs2HRT3s4ni4gSUf4:B9b1xdySu84lsMRzVniLw
Malware Config
Signatures
-
Hawkeye family
-
Detected Nirsoft tools 16 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1692-36-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/1692-40-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/1692-34-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/1692-37-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/1692-41-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/1692-50-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/1692-48-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/1692-51-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2936-70-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2936-71-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2936-73-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2936-76-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2024-80-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2024-78-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2024-77-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2024-86-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1692-36-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/1692-40-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/1692-34-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/1692-37-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/1692-41-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/1692-50-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/1692-48-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/1692-51-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2936-70-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2936-71-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2936-73-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2936-76-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1692-36-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/1692-40-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/1692-34-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/1692-37-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/1692-41-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/1692-50-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/1692-48-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/1692-51-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2024-80-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2024-78-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2024-77-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2024-86-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Executes dropped EXE 2 IoCs
pid Process 2272 M.exe 1692 M.exe -
Loads dropped DLL 5 IoCs
pid Process 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 2272 M.exe 2272 M.exe 1692 M.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" M.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2272 set thread context of 1692 2272 M.exe 31 PID 1692 set thread context of 2936 1692 M.exe 35 PID 1692 set thread context of 2024 1692 M.exe 36 -
resource yara_rule behavioral1/files/0x0009000000015d41-8.dat upx behavioral1/memory/2272-13-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2272-26-0x0000000000310000-0x000000000036C000-memory.dmp upx behavioral1/memory/2272-54-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language M.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language M.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2272 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe 1692 M.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2880 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1692 M.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2272 M.exe 2272 M.exe 1692 M.exe 2880 AcroRd32.exe 2880 AcroRd32.exe 2880 AcroRd32.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2272 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2272 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2272 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2272 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2272 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2272 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2272 2516 c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe 30 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 2272 wrote to memory of 1692 2272 M.exe 31 PID 1692 wrote to memory of 2880 1692 M.exe 33 PID 1692 wrote to memory of 2880 1692 M.exe 33 PID 1692 wrote to memory of 2880 1692 M.exe 33 PID 1692 wrote to memory of 2880 1692 M.exe 33 PID 1692 wrote to memory of 2880 1692 M.exe 33 PID 1692 wrote to memory of 2880 1692 M.exe 33 PID 1692 wrote to memory of 2880 1692 M.exe 33 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2936 1692 M.exe 35 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36 PID 1692 wrote to memory of 2024 1692 M.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c521f79249320c77b5b20007f871fbb1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5a044a4eaea50ac33f65fd614f4b78509
SHA1f4c1d9a86ee7769492293508f650f67dc3c523f7
SHA2568f9c44049129703f3d6d3beeff6ac8d576df276a56e8f7f85c86beda912ed8c4
SHA5129fbeae185958d0c7868bc21fd08220cc8e1f6aaa6cea14ffbb257a93355ba043e294be25ae40c8f80d75563bdd1f9cec3f29afa944b3cac11664ec4b066822d3
-
Filesize
749KB
MD5aa9da8f4f5e434d8449c17efccebef5e
SHA199487070bb0da9e0c2df138b111e9bebc2a271f2
SHA25616b6bdc384d7b4821d541eb40f1be8c3ca2b027b9a329e77eb4c13800b3e8ec2
SHA512768fb0d93c91ad868f7b2cfc0fc67ce2e20293e40ec1e4216bb805232a2f02cdfd3ec225c29c40bed6c4f505aa35b788f5291661b99d2773c24d395c825ef0cb
-
Filesize
104KB
MD542ccd69a3be9618d329de0ea0fde3a81
SHA147e9897f303496eb9cd5883f9cdb283b6eee65d3
SHA25614137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef
SHA51233d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae
-
Filesize
140KB
MD5bc9932d562808f046db8cf2d225b317e
SHA150827e282cb74b846b8ef79ccd3f5887e3a941f2
SHA25649a50d91166a62cb0c1454d015af0b5b98ea86702c9e88c21f6e5775517571b7
SHA512d46153b9d0260a076fd6247de14325b2f76d7537139677af927427fab23852258634b525a1e3e31e19456a04a5c58527ac351f44b475c2eb984294b30b0efa22
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84