Overview

overview

10

Static

static

3

JaffaCakes...cf.exe

windows7-x64

10

JaffaCakes...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/02/2025, 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_23bc66b499bfc507fd1e14628d90a2cf.exe

  • Size

    128KB

  • MD5

    23bc66b499bfc507fd1e14628d90a2cf

  • SHA1

    8a671990a27e718970652c90aeceab5e5fee8fe2

  • SHA256

    5b91585b450a0eebcd9e9cde4313725563e981f837d0b0d26446692520e12f9c

  • SHA512

    029f9c7189dff322cfe4096b0f210a480c1b30167484eefb9daa5578407c16527cb1d63dfdf9dd84ef330984c82cf731f10280aee1e818eb182606f6adaff5f7

  • SSDEEP

    3072:lzPkD2B+Yvw3JjpK2ronSqjf5aX50sPCfOP82nSDvJ:lwSOjMqonHjf5aJdKOP3navJ

Score
10/10
hawkeyediscoverykeyloggerpersistencespywarestealertrojanupx

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Hawkeye family
    hawkeye
  • Adds policy Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23bc66b499bfc507fd1e14628d90a2cf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23bc66b499bfc507fd1e14628d90a2cf.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4208
      • C:\Users\Admin\AppData\Local\Temp\System\egoi.exe
        "C:\Users\Admin\AppData\Local\Temp\System\egoi.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Users\Admin\AppData\Local\Temp\System\wmptvk.exe
          "C:\Users\Admin\AppData\Local\Temp\System\wmptvk.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3320
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    84B

    MD5

    399528bc0e6739fd2e764f3e8fbebbe8

    SHA1

    736b6f6106c550287dc2ea70dd420c8bcdb4effa

    SHA256

    28f3c005c5efceac2ecc4b1eb396e7d2bce14c83632aad4d7d46cfed2c990a17

    SHA512

    acedb015af54d61b8982204a6881d91ea4ab92e24472631f67ea3ea2caa8711fa779991dce6bbdf9b235b4898fa9619c7ab0998e46154731456be7e179f20eb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System\egoi.exe
    Filesize

    24KB

    MD5

    fe6ce2eef73a58131a7c5cfcbb69f399

    SHA1

    bdb70a203d915991617ec8d6d9f680faa951b0f3

    SHA256

    1ca2ec0439ef247fb5cceda440a6067f847d225d3f97873916df19c8e4ed3b9e

    SHA512

    f6fbc114b11af201e19b0493145998bc0b6640d7169514c327e22179146c2b8ba805f4d488c493dd8821be330477b6b839ff6c44b08dbc329dcb17e87774f2c9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    128KB

    MD5

    23bc66b499bfc507fd1e14628d90a2cf

    SHA1

    8a671990a27e718970652c90aeceab5e5fee8fe2

    SHA256

    5b91585b450a0eebcd9e9cde4313725563e981f837d0b0d26446692520e12f9c

    SHA512

    029f9c7189dff322cfe4096b0f210a480c1b30167484eefb9daa5578407c16527cb1d63dfdf9dd84ef330984c82cf731f10280aee1e818eb182606f6adaff5f7

    Download Submit

  • memory/1352-1-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1352-2-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1352-14-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1352-0-0x00000000749A2000-0x00000000749A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4208-24-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4208-21-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4208-23-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4208-25-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4984-39-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-38-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-40-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-53-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-54-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5116-15-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5116-13-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5116-51-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5116-52-0x00000000749A0000-0x0000000074F51000-memory.dmp

    Filesize

    5.7MB

    Download