Overview

overview

10

Static

static

3

4245f76471...18.exe

windows7-x64

10

4245f76471...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe

  • Size

    736KB

  • MD5

    4245f76471e5837dd3323e07bf7e6bda

  • SHA1

    2ec34da792c51acc16efb2e618e13e361a8866ed

  • SHA256

    ed1bc0cf788dac18aeaf4cc9fb125b9721931e4f0b7fde56ef08993ad975fb1a

  • SHA512

    83eac9a8e46257d7432a8c5df3befcabded63f9061879e8bd76efe497c48f7453124b6c6495afebb7f93784cbdfc283053a7a815ba8957f04ba486b35d7d9de6

  • SSDEEP

    12288:UfHjv8bKWzon9/eltgjq77hrkY8PJgRfLuQrXhspyPn3zaJV:UYzz+St0q77hrIJErXhsADa

Score
10/10
hawkeye_rebornm00nd3v_loggerzgratagilenetcollectioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    tonyelo000

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • Detect ZGRat V1 1 IoCs
  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\installed.exe"
      2⤵
        PID:1760
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\installed.exe"
        2⤵
          PID:4080
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Users\Admin\AppData\Local\installed.exe
          "C:\Users\Admin\AppData\Local\installed.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4772
          • C:\Users\Admin\AppData\Local\installed.exe
            "C:\Users\Admin\AppData\Local\installed.exe"
            3⤵
            • Sets file execution options in registry
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFADB.tmp"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4028
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFEF2.tmp"
              4⤵
              • Accesses Microsoft Outlook accounts
              PID:448

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpFADB.tmp
        Filesize

        4KB

        MD5

        0c71400795defb1ddf2816dcb2440470

        SHA1

        a9f25ddc014a44b58a890ac42ea47d98a3f754a3

        SHA256

        eef6222f63aae44aec7addd2cdf1d348af92b32e0be1d4c857c48d9a941d9dac

        SHA512

        4d5fd766afe850d8282b85ca0ff3ef36e225e754254f43e1e3e0147675d40f901096199e666310e7f70b6cfbe9f33f3dbe4a063fbd4df7267190bad5121efabf

        Download Submit
      • C:\Users\Admin\AppData\Local\installed.exe
        Filesize

        736KB

        MD5

        4245f76471e5837dd3323e07bf7e6bda

        SHA1

        2ec34da792c51acc16efb2e618e13e361a8866ed

        SHA256

        ed1bc0cf788dac18aeaf4cc9fb125b9721931e4f0b7fde56ef08993ad975fb1a

        SHA512

        83eac9a8e46257d7432a8c5df3befcabded63f9061879e8bd76efe497c48f7453124b6c6495afebb7f93784cbdfc283053a7a815ba8957f04ba486b35d7d9de6

        Download Submit
      • memory/448-31-0x0000000000420000-0x00000000004E9000-memory.dmp
        Filesize

        804KB

        Download
      • memory/448-32-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/448-30-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/448-29-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/1616-14-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1616-33-0x0000000006090000-0x000000000609A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1616-18-0x0000000005360000-0x00000000053C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1616-17-0x0000000002C90000-0x0000000002D06000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3780-5-0x0000000074740000-0x0000000074EF0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3780-10-0x0000000074740000-0x0000000074EF0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3780-6-0x00000000078C0000-0x0000000007952000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3780-0-0x000000007474E000-0x000000007474F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3780-4-0x0000000007DD0000-0x0000000008374000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3780-3-0x0000000005210000-0x0000000005238000-memory.dmp
        Filesize

        160KB

        Download
      • memory/3780-2-0x0000000007720000-0x0000000007816000-memory.dmp
        Filesize

        984KB

        Download
      • memory/3780-1-0x00000000007B0000-0x0000000000870000-memory.dmp
        Filesize

        768KB

        Download
      • memory/4028-20-0x0000000000400000-0x000000000045B000-memory.dmp
        Filesize

        364KB

        Download
      • memory/4028-21-0x0000000000400000-0x000000000045B000-memory.dmp
        Filesize

        364KB

        Download
      • memory/4028-27-0x0000000000400000-0x000000000045B000-memory.dmp
        Filesize

        364KB

        Download
      • memory/4772-13-0x0000000008180000-0x000000000821C000-memory.dmp
        Filesize

        624KB

        Download