hawkeye_reborn | 08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd

Analysis

max time kernel
135s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
Size

772KB
MD5

114f9255de59954ae627cc7bf2869cf9
SHA1

6d4f439a590083f4dc4bdcf25b1aae93fdde99e0
SHA256

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd
SHA512

3fedb776d22a0fc626f35c6b12653083be52298765b97ecbb234b7c960440de7e808e6c15d5d8aff15148b1319781fdaafc717274e601cce02df8c0f2d5aa04d
SSDEEP

12288:HSQhQTLlzZqhpAS5Trl+AJe6h4jJejAyUgcD5yEq8Ojwlv:zutoheShg6h41vyUrqlW

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/624-22-0x0000000005250000-0x00000000052E0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2596-30-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2596-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2596-34-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2596-32-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2596-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2944-65-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2944-66-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2944-67-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2456-49-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2456-48-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2456-52-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/2456-49-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2456-48-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2456-52-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2944-65-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2944-66-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2944-67-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 2596 set thread context of 2456	2596	RegAsm.exe	33
PID 2596 set thread context of 2944	2596	RegAsm.exe	36

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
2456	vbc.exe
2456	vbc.exe
2456	vbc.exe
2456	vbc.exe
2456	vbc.exe
2596	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
Token: SeDebugPrivilege	2596	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2596	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2240	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	28
PID 624 wrote to memory of 2240	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	28
PID 624 wrote to memory of 2240	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	28
PID 624 wrote to memory of 2240	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	28
PID 2240 wrote to memory of 1788	2240	csc.exe	30
PID 2240 wrote to memory of 1788	2240	csc.exe	30
PID 2240 wrote to memory of 1788	2240	csc.exe	30
PID 2240 wrote to memory of 1788	2240	csc.exe	30
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 624 wrote to memory of 2596	624	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2456	2596	RegAsm.exe	33
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36
PID 2596 wrote to memory of 2944	2596	RegAsm.exe	36

C:\Users\Admin\AppData\Local\Temp\114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3aq1raho\3aq1raho.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp" "c:\Users\Admin\AppData\Local\Temp\3aq1raho\CSC88AC3B52657C49F790F8BB11D2E5D79F.TMP"
    3⤵
    PID:1788
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3BB9.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3aq1raho\3aq1raho.dll

Filesize
9KB

MD5
87273b46c67ba079b18fb43b5913a48e

SHA1
9e9080c7cc1c6e65328f7cbe8bcabe9b111b9456

SHA256
d74cd139e0827f48b04d8aec3a855a9600530c1902f32e3421a65dcaab45cf85

SHA512
3b71b9c0f90484373498f4d487ba9687d038e458221a787e7f47c930dc38408d1c9c3a0a5b47f9815540eff52eb07112aedad42d4fd9e0d32f8037c30814f04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aq1raho\3aq1raho.pdb

Filesize
27KB

MD5
c0eb0a13e76fa1447f20fb5a47c07eaa

SHA1
dd67c4e73fbdfeca649ab0858789511a6f32fb5f

SHA256
02dea70c9749b319272bad368bc120a303e0a688e50b0d0aa8f5ccc894d9d40b

SHA512
16d221c3e43ebbbdabdb5889b660f49ffa03f749ef0b4224b77a3b60aab0950ce38eb5362b58a6d08df3f7d7562f29ca978fbfe38ac5229351082ebeb64c4bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp

Filesize
1KB

MD5
3dbd67f71b8a9b30064f89b631bb7a94

SHA1
e1e0abfdd111688e52f1019a1547cbae7f9edc9e

SHA256
1c7ff319e9552b0cf15f65b27ff059802362731cc7356a79e0b4cd9f2948d350

SHA512
7e2344be0416b6bcd34b13227c8948de2b6d5ecfc97565c9d6be409f9616fea1cd4e862f47bf020ffa0ad9d592add82b3322d80c80be0b4c881e76852088505a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BB9.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3aq1raho\3aq1raho.0.cs

Filesize
17KB

MD5
1eed8b456610b069b7fb3bc76ddbec96

SHA1
9b17e2f62631775b89cca34c1cdc9ea9fbd3d4ba

SHA256
2bba3ab6332f7a3196ee3b0ee29ffac3e1cf206803b96f7a7b39a261ddd741b1

SHA512
c950a13ae648284f0c0b4090a57f45c68a0393055085ab8d74ca7363d3bc7985be6962546510fa5655e85d2f7c1037a008591556a1c4e979443e5ea11364c801

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3aq1raho\3aq1raho.cmdline

Filesize
312B

MD5
e1c500e61861ffd208bddd00a8260d5e

SHA1
90b86ac3abae5cde3492d83a3d1f1a6c26512114

SHA256
420e6a949fa4c8ac359575f059c4d6f147bffca79601ad065f5d9ce04206fb37

SHA512
066db7a14eb228233e3ddc0462a8be7d2b259804e812c2cf43e3c28450c5666615be594a663f7ba113f0d7f6b0059cab3adedbf7739dbb5c0a6345c5f6084675

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3aq1raho\CSC88AC3B52657C49F790F8BB11D2E5D79F.TMP

Filesize
1KB

MD5
e0b550ef725417fbb0a1631075fc42b9

SHA1
76ed9921ff7a7b7465f57b6fe106b3d5e68400d1

SHA256
612caf4dcc4d5136ae955f0259dd75c7beee51d9313a704b83980bef2ad39124

SHA512
2e7080ffa8e85f726bbcfece01334134cab608d925ce6aaebc21457ef1443d6cfd58c12a5415c334616f1b801ec1cc9fc5917821cbbdeb88fb43612f58adffd3

Download Submit
memory/624-35-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-3-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-18-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/624-2-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/624-20-0x00000000051B0000-0x000000000524A000-memory.dmp

Filesize
616KB

Download
memory/624-21-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/624-22-0x0000000005250000-0x00000000052E0000-memory.dmp

Filesize
576KB

Download
memory/624-1-0x0000000001030000-0x00000000010F6000-memory.dmp

Filesize
792KB

Download
memory/624-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2456-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-52-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2456-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-38-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2596-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2596-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2596-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-32-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2596-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2596-30-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2596-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2596-23-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2944-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download