Overview

overview

10

Static

static

10

JaffaCakes...90.exe

windows7-x64

9

JaffaCakes...90.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

  • Size

    657KB

  • Sample

    241221-yjgygsxqgz

  • MD5

    5ad0b25a5143383f6d9d0bccefad2ea8

  • SHA1

    9256360a8b866cc9d715cdabd1c28e52df4b38c3

  • SHA256

    dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

  • SHA512

    97eb36b6cd8a635c86dfda03896e53a9dc3d5586bd7b2158dd744cb7ceef7754455f39f0987b972e6089abf3e534dd4e10be80a7690d2c779ddf6697b53dc007

  • SSDEEP

    12288:WdVIsL1mgv2fK55IOmQ4EEwET9NlCRcLmV/hKcIDnLCW73ZB8bplUA7U449l9oRb:mK+pvUKsS4EE78Rkg/ht39

Score
10/10
hawkeye_rebornm00nd3v_loggercollectiondiscoveryinfostealer

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

  • Protocol:     ftp
  • Host:
    ftp.suzukirmkjakarta.com
  • Port:
    21
  • Username:
    stanzo77@suzukirmkjakarta.com
  • Password:
    tooblessed77
Mutex

bb6b10af-6b63-4400-a703-75211ef8113b

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:tooblessed77 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.suzukirmkjakarta.com _FTPUsername:stanzo77@suzukirmkjakarta.com _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:bb6b10af-6b63-4400-a703-75211ef8113b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Targets

    • Target

      JaffaCakes118_dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

    • Size

      657KB

    • MD5

      5ad0b25a5143383f6d9d0bccefad2ea8

    • SHA1

      9256360a8b866cc9d715cdabd1c28e52df4b38c3

    • SHA256

      dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

    • SHA512

      97eb36b6cd8a635c86dfda03896e53a9dc3d5586bd7b2158dd744cb7ceef7754455f39f0987b972e6089abf3e534dd4e10be80a7690d2c779ddf6697b53dc007

    • SSDEEP

      12288:WdVIsL1mgv2fK55IOmQ4EEwET9NlCRcLmV/hKcIDnLCW73ZB8bplUA7U449l9oRb:mK+pvUKsS4EE78Rkg/ht39

    Score
    9/10
    discoverycollection

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.