hawkeye_reborn | 8e78bf76075b5946c932aacd4d8f10132b06124bf2b7bdb954277b016b5ef42c

Analysis

max time kernel
138s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe
Size

777KB
MD5

0b35d66e57ac2fd0a8d0f5b3559e0285
SHA1

cbe9f230712b51556dbec84a4ad287cd24550724
SHA256

8e78bf76075b5946c932aacd4d8f10132b06124bf2b7bdb954277b016b5ef42c
SHA512

32598d1d1f5769bf9591da75c75e024f874fbc8a3b527832bd4c83beafbad8ad7b079370e97be002d215c6b8561fa1b4126e8601820b9d65779575b924dc9c32
SSDEEP

12288:l7sZ/OAac3cwHolLoTtgGUcOumN8Op7bhHTfXuuT2I6ZY:ZsHxMwHqLoeGSN8OZb1bH

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1556-22-0x0000000000D80000-0x0000000000E10000-memory.dmp	m00nd3v_logger
behavioral1/memory/2900-33-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2900-31-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2900-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2900-29-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2900-25-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2220-64-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2220-65-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2220-66-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2568-47-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2568-48-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2568-51-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/2568-47-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2568-48-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2568-51-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2220-64-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2220-65-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2220-66-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1556 set thread context of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 2900 set thread context of 2568	2900	RegAsm.exe	33
PID 2900 set thread context of 2220	2900	RegAsm.exe	36

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe
1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe
2568	vbc.exe
2568	vbc.exe
2568	vbc.exe
2568	vbc.exe
2568	vbc.exe
2900	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe
Token: SeDebugPrivilege	2900	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2900	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2304	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	28
PID 1556 wrote to memory of 2304	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	28
PID 1556 wrote to memory of 2304	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	28
PID 1556 wrote to memory of 2304	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	28
PID 2304 wrote to memory of 2888	2304	csc.exe	30
PID 2304 wrote to memory of 2888	2304	csc.exe	30
PID 2304 wrote to memory of 2888	2304	csc.exe	30
PID 2304 wrote to memory of 2888	2304	csc.exe	30
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2900	1556	0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe	31
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2568	2900	RegAsm.exe	33
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36
PID 2900 wrote to memory of 2220	2900	RegAsm.exe	36

C:\Users\Admin\AppData\Local\Temp\0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b35d66e57ac2fd0a8d0f5b3559e0285_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hntfew12\hntfew12.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADAD.tmp" "c:\Users\Admin\AppData\Local\Temp\hntfew12\CSC2F13CE7F4F074CA2825950558BA697A9.TMP"
    3⤵
    PID:2888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD0F6.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESADAD.tmp

Filesize
1KB

MD5
073239de0de99acda3c1fb24df7df9a5

SHA1
c25b2b2b718496d29d0a758410abb18440a104ec

SHA256
7c7d8d8228605cf8a863a9e3ac0b8f8bd5a33e8dbb4715534f457eebef5ed52f

SHA512
da8ca1edf18ca485ae721d96133452f13ec62dd104e53b39c61628159dff8761683a1c0e4c451ec3850f8122d9863f87cc859a71c8f34b1990643f44d5551f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hntfew12\hntfew12.dll

Filesize
7KB

MD5
a7a53f3682783da9664d93d33fcd8f50

SHA1
02af4e21ead6907af3e8472c17b2822e50f9f6b5

SHA256
41a2dcc4ed757d964fef9f6dece9c398bff014fed276ae618817fab3f2f3b481

SHA512
a88d5eaf631daf828fc749bd3cf4a1ba652a9c80b15f9e3d4bfddd05015b20845014804180c553a867bc43dead879cee66696068858d2e604f7496f37c800e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hntfew12\hntfew12.pdb

Filesize
21KB

MD5
db1d27ef5f71161d95205a813f172427

SHA1
88c5e0cfa00d9b98529018d64537b47d78e4bde3

SHA256
69f66c9d9faf0229e0fd2ea6fb5b3ec912dd5d7c868cf388781e9349e7f66503

SHA512
d89f13afccb675a1b6824d22eff07779580fa1d126754a40aa4883995634723ccaadb135c5865b8664574631ff0ad9a03486fd4c7f6d19b72cdb89e16428d475

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hntfew12\CSC2F13CE7F4F074CA2825950558BA697A9.TMP

Filesize
1KB

MD5
f84f95387207ac034d8f4cae4ef4521a

SHA1
f69b62e9d6324e79d7fac8933d9823e1544d2f80

SHA256
f35f1e0df34398d75094c5f42a1c9407b5a9970c31d7b2972b3a6e3eade34c12

SHA512
315b0c0bc0a42612478d5109725d15e90f2b87f56e9d22422090459563fa42aa0578fc92db28e36bc2892cc80bd06449a13438127d8205faf78e44c43aa1637a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hntfew12\hntfew12.0.cs

Filesize
8KB

MD5
258c35777fd602112b03331197b00773

SHA1
2a46b959f87c13f78a2f221ac599564ab351685c

SHA256
be9d0925f33046b192edabe5e03ec7545afb0b7f08821845153850120a719f70

SHA512
b37973a144c5715d495db3da7d1df5d09b706c361ee978e023112507a1fddf60ed718db90efc1f4fb5f04348df10639a1584aed5cf4ed03ad5f4bc141a6f4e08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hntfew12\hntfew12.cmdline

Filesize
312B

MD5
5e9dff60eeef5819e2f25942ca567f7b

SHA1
c2029be928cd926b52e2d732623fc0b7b833f30b

SHA256
c1c0f23634ae4b28059506d9c7a0377a74ad16f7c3d74a1af6ccfc1c3b98faba

SHA512
b8143dd79f9b795a0703a1822225182eebfc5688851c9f44563dc5506ccf6b07b8db251952cf4e1b479328de8bda14f090aef8ac48fbbb166e4905caa92dcb9a

Download Submit
memory/1556-21-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/1556-3-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/1556-2-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/1556-18-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/1556-20-0x00000000051A0000-0x000000000523A000-memory.dmp

Filesize
616KB

Download
memory/1556-0-0x0000000000E10000-0x0000000000EA4000-memory.dmp

Filesize
592KB

Download
memory/1556-22-0x0000000000D80000-0x0000000000E10000-memory.dmp

Filesize
576KB

Download
memory/1556-1-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-34-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2568-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-44-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-38-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-37-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2900-24-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-29-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-31-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-33-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-23-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download