Overview

overview

10

Static

static

10

JaffaCakes...90.exe

windows7-x64

9

JaffaCakes...90.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

  • Size

    657KB

  • Sample

    241221-yjgygsxqgz

  • MD5

    5ad0b25a5143383f6d9d0bccefad2ea8

  • SHA1

    9256360a8b866cc9d715cdabd1c28e52df4b38c3

  • SHA256

    dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

  • SHA512

    97eb36b6cd8a635c86dfda03896e53a9dc3d5586bd7b2158dd744cb7ceef7754455f39f0987b972e6089abf3e534dd4e10be80a7690d2c779ddf6697b53dc007

  • SSDEEP

    12288:WdVIsL1mgv2fK55IOmQ4EEwET9NlCRcLmV/hKcIDnLCW73ZB8bplUA7U449l9oRb:mK+pvUKsS4EE78Rkg/ht39

Score
10/10
hawkeye_rebornm00nd3v_loggercollectiondiscoveryinfostealer

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

  • Protocol:     ftp
  • Host:
    ftp.suzukirmkjakarta.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    tooblessed77
Mutex

bb6b10af-6b63-4400-a703-75211ef8113b

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:tooblessed77 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.suzukirmkjakarta.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:bb6b10af-6b63-4400-a703-75211ef8113b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Targets

    • Target

      JaffaCakes118_dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

    • Size

      657KB

    • MD5

      5ad0b25a5143383f6d9d0bccefad2ea8

    • SHA1

      9256360a8b866cc9d715cdabd1c28e52df4b38c3

    • SHA256

      dcd5d7be9c416e1b54e27a8a0e79e215ad25c075240dc0ca18f8be550dfc7a90

    • SHA512

      97eb36b6cd8a635c86dfda03896e53a9dc3d5586bd7b2158dd744cb7ceef7754455f39f0987b972e6089abf3e534dd4e10be80a7690d2c779ddf6697b53dc007

    • SSDEEP

      12288:WdVIsL1mgv2fK55IOmQ4EEwET9NlCRcLmV/hKcIDnLCW73ZB8bplUA7U449l9oRb:mK+pvUKsS4EE78Rkg/ht39

    Score
    9/10
    discoverycollection

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks