hawkeye_reborn | a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba

Analysis

max time kernel
135s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
Size

951KB
MD5

0bf39869b08ade7c8ed45ff5a26f70c4
SHA1

09ba2e264420ccd1cb0aae13501a7329c3493f54
SHA256

a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba
SHA512

4e17bfb64903b993f5aaa83ae844611566394a71596133d187ed2d38802b0c2d18781bbd6610f6628265ccc89fb1f4f69bae2a321048c38b104c1bab30259658
SSDEEP

24576:/lozTZfU0l3vcCbatx3vi9uPnl2NSBSynBG1ST:/lGzaT/iI4SBSynBV

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1968-23-0x0000000005200000-0x0000000005290000-memory.dmp	m00nd3v_logger
behavioral1/memory/2476-38-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2476-36-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2476-34-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2476-30-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2476-28-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/860-69-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/860-70-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/860-71-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2356-52-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2356-53-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2356-56-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/2356-52-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2356-53-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2356-56-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/860-69-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/860-70-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/860-71-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 2476 set thread context of 2356	2476	RegAsm.exe	33
PID 2476 set thread context of 860	2476	RegAsm.exe	36

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
2356	vbc.exe
2356	vbc.exe
2356	vbc.exe
2356	vbc.exe
2356	vbc.exe
2476	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
Token: SeDebugPrivilege	2476	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2564	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2564	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2564	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2564	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	28
PID 2564 wrote to memory of 2656	2564	csc.exe	30
PID 2564 wrote to memory of 2656	2564	csc.exe	30
PID 2564 wrote to memory of 2656	2564	csc.exe	30
PID 2564 wrote to memory of 2656	2564	csc.exe	30
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2476	1968	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 2356	2476	RegAsm.exe	33
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36
PID 2476 wrote to memory of 860	2476	RegAsm.exe	36

C:\Users\Admin\AppData\Local\Temp\0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vdxznejn\vdxznejn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DDD.tmp" "c:\Users\Admin\AppData\Local\Temp\vdxznejn\CSC140F6CC4539940408D49AF87FF7A9992.TMP"
    3⤵
    PID:2656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp48A4.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3A53.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1DDD.tmp

Filesize
1KB

MD5
8dc578a602136ffc58f45bc2cd174f66

SHA1
b48c71791cae4f1b6f0441e4ab426d084e6889d4

SHA256
f10e224d13b03210bed77fbbb2ba7f854b752a629a279d75b6de32646372ac92

SHA512
d12ea0e845543381a4ffe558eda99f19b6bf056e81520ebcfa796782fc22e2ecf9b2a6bd1b145744b262d3c17aa7a4294bf0c48fa2d6c0fe25331402eb7b0ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48A4.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdxznejn\vdxznejn.dll

Filesize
25KB

MD5
3bb6d8b22aaff655e855519f49990cbc

SHA1
301e49c9fdfc9ce08360a3d93331df3ed1c61cc2

SHA256
b902a121a72e0fb2fdd10ce6a9fb09f98350a8aa3fbc35d151b206b5a5f1f88e

SHA512
5f60fd7521f2b0df5c2cedbe12c9b712098ba560ddb57ddbb4c3c068205a13c19c07d1fa293dc03f32c69876e408d96de93e8d3277f081de190b52bb32050bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdxznejn\vdxznejn.pdb

Filesize
83KB

MD5
92ece087eb30b62a6f79da5570f33282

SHA1
a08ad7af5642012b36195f2b3aa0a97452bc05c2

SHA256
80df1248daa4bc9ce98a9be1b46537d6c608d346dbf650977e0819a1283b9488

SHA512
25be83cd93be862680c34dbc1757a8a68ec173eae5b727c4c418164d086ba6695263a4eec1406c813bd569957301597042ff298e54540bf8168a6406fcda536a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vdxznejn\CSC140F6CC4539940408D49AF87FF7A9992.TMP

Filesize
1KB

MD5
4bf17362a77f478871e73aecc29357ad

SHA1
038e157543517cec33859c42365b198057cb374b

SHA256
61655d3f982df6b9ea90e0b3b5b12fd4223cea748efb981f3f13adf59232905e

SHA512
52dd0ef6ef968066ace05a7733d8f84bbbc8b3d2d2b2986f406850447605763cb3a11d4ea7c03c98f88b97647b2012f2478e17b30eceae1b3e10c8d0d6adc360

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vdxznejn\vdxznejn.0.cs

Filesize
63KB

MD5
db8db79a3b3807a4539ffdd44b3e030b

SHA1
6aa911e5e19e0286586186068efe2099ccea2d06

SHA256
84c25a6d9142065a80e4f4f01b6a5ee06eac1f2ef1f87806bf291e42099b1fc1

SHA512
1cb1f9ac55984b775fb79911493f34c71b7c0038dd32d468f17bc93b5d9a76f4185ff74b84fc5906311f4a9525390be03a7d5d3fe5f4c8eb06eb12c193e2b114

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vdxznejn\vdxznejn.cmdline

Filesize
312B

MD5
e4efd0ade81f6df28c1c13ee817a5096

SHA1
681ae5675ffd4ee650f02296df5a60680811be9b

SHA256
862e50f90d45be080c09f488050de91ac7c99c4cbb3f4fe6cbcadc5c820e4710

SHA512
d3a8cb9b050478dada7ea05406c0759dc3dda6ebd8a61a0e2e99cb1295f72dee97cc45860f46d6d155b04cd0a990a02ecd7092050a4fc4ad229375d03effe735

Download Submit
memory/860-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1968-0-0x0000000000C80000-0x0000000000D5C000-memory.dmp

Filesize
880KB

Download
memory/1968-39-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-4-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/1968-23-0x0000000005200000-0x0000000005290000-memory.dmp

Filesize
576KB

Download
memory/1968-20-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/1968-19-0x0000000005060000-0x00000000050FA000-memory.dmp

Filesize
616KB

Download
memory/1968-17-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1968-1-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-53-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-52-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-41-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2476-28-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2476-30-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2476-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2476-36-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2476-38-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2476-24-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2476-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download