General

  • Target

    e29d3bafbbf678b38cf2bb894426c432_JaffaCakes118

  • Size

    449KB

  • Sample

    241211-wlak3ssrht

  • MD5

    e29d3bafbbf678b38cf2bb894426c432

  • SHA1

    b10849baa1ef5473df4cf0510c6dc9de3c1ea570

  • SHA256

    7fe59e830d068fc38857e7520ecc8b020f14c19f55228e0dfe8d9103744c22a2

  • SHA512

    bbea41d1fc754b781e6887cb8b23ffb72b9d502e51285f1b31016daa58fda693a274cd28a4adc992ac829630cf644da47a2a225bac37d91fc13bf36e5e12cc8f

  • SSDEEP

    12288:afGuZxBgUMVLDgzswnEb6i8HhN0BckEn34KzRoj+y29Li:IzPMVLD1wnY7j0n3DzajVyL

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gandi.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    herryy1989

Targets

    • Target

      e29d3bafbbf678b38cf2bb894426c432_JaffaCakes118

    • Size

      449KB

    • MD5

      e29d3bafbbf678b38cf2bb894426c432

    • SHA1

      b10849baa1ef5473df4cf0510c6dc9de3c1ea570

    • SHA256

      7fe59e830d068fc38857e7520ecc8b020f14c19f55228e0dfe8d9103744c22a2

    • SHA512

      bbea41d1fc754b781e6887cb8b23ffb72b9d502e51285f1b31016daa58fda693a274cd28a4adc992ac829630cf644da47a2a225bac37d91fc13bf36e5e12cc8f

    • SSDEEP

      12288:afGuZxBgUMVLDgzswnEb6i8HhN0BckEn34KzRoj+y29Li:IzPMVLD1wnY7j0n3DzajVyL

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Hawkeye family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks