General

  • Target

    d958277b511acf4f8dae3d75c594db6c_JaffaCakes118

  • Size

    356KB

  • Sample

    241209-ncwg7azpgm

  • MD5

    d958277b511acf4f8dae3d75c594db6c

  • SHA1

    b9a2113f62e2f559d51d70a35c77dff7e39294ed

  • SHA256

    065d9b1dd188b626515ce09b19cd24d7e16a160ac5319136e65aa3c561657426

  • SHA512

    21f5bfd2e04283a8d32f79cb10c823a66ebebc9d7ca9fc9a14d8fc3e4b31de1d0232141336c5816b098598f0ec2f4f2db5cbe44e4ebfffc792f01f55c96c4441

  • SSDEEP

    6144:0tkXQh+fOZTb4rVfYn33rVRRF5GPXpkHg0Sme9k4GgzsdHXTvLRUQSOObAIAWgcu:8VxQap5KDox3lWnk

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    rudas199300

Targets

    • Target

      d958277b511acf4f8dae3d75c594db6c_JaffaCakes118

    • Size

      356KB

    • MD5

      d958277b511acf4f8dae3d75c594db6c

    • SHA1

      b9a2113f62e2f559d51d70a35c77dff7e39294ed

    • SHA256

      065d9b1dd188b626515ce09b19cd24d7e16a160ac5319136e65aa3c561657426

    • SHA512

      21f5bfd2e04283a8d32f79cb10c823a66ebebc9d7ca9fc9a14d8fc3e4b31de1d0232141336c5816b098598f0ec2f4f2db5cbe44e4ebfffc792f01f55c96c4441

    • SSDEEP

      6144:0tkXQh+fOZTb4rVfYn33rVRRF5GPXpkHg0Sme9k4GgzsdHXTvLRUQSOObAIAWgcu:8VxQap5KDox3lWnk

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Hawkeye family

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks