hawkeye_reborn | a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba

Analysis

max time kernel
87s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
Size

951KB
MD5

0bf39869b08ade7c8ed45ff5a26f70c4
SHA1

09ba2e264420ccd1cb0aae13501a7329c3493f54
SHA256

a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba
SHA512

4e17bfb64903b993f5aaa83ae844611566394a71596133d187ed2d38802b0c2d18781bbd6610f6628265ccc89fb1f4f69bae2a321048c38b104c1bab30259658
SSDEEP

24576:/lozTZfU0l3vcCbatx3vi9uPnl2NSBSynBG1ST:/lGzaT/iI4SBSynBV

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/5000-24-0x0000000005C20000-0x0000000005CB0000-memory.dmp	m00nd3v_logger
behavioral2/memory/4960-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1636-45-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1636-46-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1636-47-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2992-33-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2992-35-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2992-36-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2992-43-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/2992-33-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2992-35-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2992-36-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2992-43-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1636-45-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1636-46-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1636-47-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 4960 set thread context of 2992	4960	RegAsm.exe	91
PID 4960 set thread context of 1636	4960	RegAsm.exe	92

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
2992	vbc.exe
4960	RegAsm.exe
4960	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
Token: SeDebugPrivilege	4960	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4960	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 3616	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	86
PID 5000 wrote to memory of 3616	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	86
PID 5000 wrote to memory of 3616	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	86
PID 3616 wrote to memory of 1488	3616	csc.exe	88
PID 3616 wrote to memory of 1488	3616	csc.exe	88
PID 3616 wrote to memory of 1488	3616	csc.exe	88
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 5000 wrote to memory of 4960	5000	0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe	89
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 2992	4960	RegAsm.exe	91
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92
PID 4960 wrote to memory of 1636	4960	RegAsm.exe	92

C:\Users\Admin\AppData\Local\Temp\0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bf39869b08ade7c8ed45ff5a26f70c4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1psiuvil\1psiuvil.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3902.tmp" "c:\Users\Admin\AppData\Local\Temp\1psiuvil\CSC59AE6EB228024C32BB28A47DC41FFE76.TMP"
    3⤵
    PID:1488
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp65EE.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp69F6.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1psiuvil\1psiuvil.dll

Filesize
25KB

MD5
c99f85fec4223560ed008ec5953cde0e

SHA1
0f6c26e7d78bdf4a0af888d962304499f152243b

SHA256
e8233227ddd86a697fb7abc09a6ef2600383d3d691be28ba6a8f741d24be5ee0

SHA512
47a91184b07bf711e390bca5b598753fdf19ec9d5882b448cb19efde809f57e260e1609063a90d16e3a3663afb6b093450a5c604a0b989b4b6731f56189e9532

Download Submit
C:\Users\Admin\AppData\Local\Temp\1psiuvil\1psiuvil.pdb

Filesize
83KB

MD5
80883fcfcf05eca896c07acb41ba9369

SHA1
77bcf49ffb549df76c26ef66dcfb22fccdcee096

SHA256
e13e042183479808c7d3eaf02168e8d3e40f3b26005c9a2f3a82e3beb2211b2b

SHA512
a476f89df2342b8abddf34d5f2b10e3ff64850308ac3abeb0edc095a546f7c6cb138e31a1306f4a7e26bbc2f0ef6ed6b30fe461d8535b6fdb8fea8872b6aad34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3902.tmp

Filesize
1KB

MD5
6e184466c9be0e34d1c21e7aa6088fbd

SHA1
e28acbb90b86cab0209ededa8bdcc711f4201502

SHA256
b1296d9ba38070c91766ae5132bea65afce4a5742239e3561b468c1b3fdb7f11

SHA512
928a0b53ac52bd2e92579e5917be20f4df78b72c0f13270271298f964fa4ea0a750234c6ec26ba25793ec72922d7507527dc6cbba6e1340c2dfd7361e19e47e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65EE.tmp

Filesize
4KB

MD5
e255c36d21183acb0a1a38b1344443f0

SHA1
9fd09dd85a76f8211e9ba81929a1f10d3c499917

SHA256
00459ae0cad2abd0641bc5e9fb35d08bccec2d498173adc35810ae820eb55b47

SHA512
0e1319f62957c7b3bf1d6573bf24a0bb1cbaf8a0665de6584483885f8c340545cacf36800436892073979a02f3739526569b8c01f862ca9a4b3940c31ad51d4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1psiuvil\1psiuvil.0.cs

Filesize
63KB

MD5
db8db79a3b3807a4539ffdd44b3e030b

SHA1
6aa911e5e19e0286586186068efe2099ccea2d06

SHA256
84c25a6d9142065a80e4f4f01b6a5ee06eac1f2ef1f87806bf291e42099b1fc1

SHA512
1cb1f9ac55984b775fb79911493f34c71b7c0038dd32d468f17bc93b5d9a76f4185ff74b84fc5906311f4a9525390be03a7d5d3fe5f4c8eb06eb12c193e2b114

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1psiuvil\1psiuvil.cmdline

Filesize
312B

MD5
a60bf387a04035273348ba7b4580821d

SHA1
6087fca9bb6274a7aa572458f0a733a1ea28a863

SHA256
92a34eeb7407a1ed7982d77c418b849dc9645269007284cc4282820b8387eb62

SHA512
8b27e18356a570467348acc7aca2a865e0bb8a126a1f0f23f023a66e2c22e385b514f88a014c5ec174f6167b87a3cd9997c6ada49b3eb72b5a16f9623bab384d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1psiuvil\CSC59AE6EB228024C32BB28A47DC41FFE76.TMP

Filesize
1KB

MD5
9aa8ab35a08d31be690d998e77e8da69

SHA1
fbfdf7cb9d53f9f8ca8c7db81684252c936eafe5

SHA256
b3d29a83ec18b1467ad6b29190e242cc49212f48d15a21248a098e9c9516870d

SHA512
515e4497ea3f27ad939c47146c29dbdeb50f08f1a87d07611987afa730f0e4e7e7fd8614baab6a3f95a45221fe1e40fba1d61ff9a955b9ee7a9003856e72b5ee

Download Submit
memory/1636-47-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1636-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1636-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2992-35-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-41-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/2992-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4960-49-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/4960-48-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/4960-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4960-29-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/4960-31-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/4960-30-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/5000-0-0x0000000000B10000-0x0000000000BEC000-memory.dmp

Filesize
880KB

Download
memory/5000-20-0x0000000005B80000-0x0000000005C1A000-memory.dmp

Filesize
616KB

Download
memory/5000-28-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-25-0x0000000005D50000-0x0000000005DEC000-memory.dmp

Filesize
624KB

Download
memory/5000-19-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/5000-17-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

Filesize
48KB

Download
memory/5000-2-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/5000-1-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-24-0x0000000005C20000-0x0000000005CB0000-memory.dmp

Filesize
576KB

Download
memory/5000-21-0x0000000005570000-0x000000000557C000-memory.dmp

Filesize
48KB

Download