Overview

overview

10

Static

static

9

PhpDataObj...dp.exe

windows7-x64

10

PhpDataObj...dp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_12d16205504a26ca42877320e0dd4adc6c44e0c9314fc9bc07b0ca900f08db58

  • Size

    1.3MB

  • Sample

    241229-qzn3qssqal

  • MD5

    1ac021ba2ff60099fa8788d6be7e8c02

  • SHA1

    1f367024abab3a17f1366f37aad956ac5290dce0

  • SHA256

    12d16205504a26ca42877320e0dd4adc6c44e0c9314fc9bc07b0ca900f08db58

  • SHA512

    a08e27d124672cc55066961aa80c37ae09480ff4f234b50a23cb81529de67c9aba01eb06317f4d0bc99810591a3e17cacfe2a1ae5bedf043607a6af0ef536297

  • SSDEEP

    24576:0UHwjE1JleNsKYn01OfrcZBiYJSD0qGs94wZjLALrD2:fQY1msKYnWZBiYAD0yWyjLAK

Score
10/10
hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      PhpDataObject._fdp.bin

    • Size

      2.9MB

    • MD5

      b194af41cab7bf7d0a4818a31c23271f

    • SHA1

      924244e1cd05e292a4ca710f03573b2f6f8d5a4f

    • SHA256

      ddbd74f87f973b4a96f5d08e87fc6553154a913a7beed65113f3010fd99fccdc

    • SHA512

      eaed2565185ceb323a158a4f4a2105910fd643726050772ecdb750b2eab7bb20e57d4774715654cb3bc3ec26d690847fcea2df1b689842d0ab3aff4c19bbb110

    • SSDEEP

      24576:rZQtqBorTlYWBhE+V3mON3BeGixx6YC34gizrpT8FDn+UPk++H0uUP3XXuQ4kP86:rKtqFWM4mEI9jCod/gX/+Hy

    Score
    10/10
    hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Hawkeye family

      hawkeye

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks