hawkeye_reborn | 08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd

Analysis

max time kernel
133s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
Size

772KB
MD5

114f9255de59954ae627cc7bf2869cf9
SHA1

6d4f439a590083f4dc4bdcf25b1aae93fdde99e0
SHA256

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd
SHA512

3fedb776d22a0fc626f35c6b12653083be52298765b97ecbb234b7c960440de7e808e6c15d5d8aff15148b1319781fdaafc717274e601cce02df8c0f2d5aa04d
SSDEEP

12288:HSQhQTLlzZqhpAS5Trl+AJe6h4jJejAyUgcD5yEq8Ojwlv:zutoheShg6h41vyUrqlW

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/1096-23-0x0000000005E90000-0x0000000005F20000-memory.dmp	m00nd3v_logger
behavioral2/memory/4896-25-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/5092-44-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5092-45-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5092-46-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3640-32-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3640-34-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3640-35-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3640-42-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/3640-32-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3640-34-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3640-35-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3640-42-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/5092-44-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5092-45-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5092-46-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 4896 set thread context of 3640	4896	RegAsm.exe	102
PID 4896 set thread context of 5092	4896	RegAsm.exe	103

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
3640	vbc.exe
4896	RegAsm.exe
4896	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
Token: SeDebugPrivilege	4896	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4896	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4272	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	83
PID 1096 wrote to memory of 4272	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	83
PID 1096 wrote to memory of 4272	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	83
PID 4272 wrote to memory of 1412	4272	csc.exe	85
PID 4272 wrote to memory of 1412	4272	csc.exe	85
PID 4272 wrote to memory of 1412	4272	csc.exe	85
PID 1096 wrote to memory of 1564	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1564	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1564	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	86
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 1096 wrote to memory of 4896	1096	114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe	88
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 3640	4896	RegAsm.exe	102
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103
PID 4896 wrote to memory of 5092	4896	RegAsm.exe	103

C:\Users\Admin\AppData\Local\Temp\114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\114f9255de59954ae627cc7bf2869cf9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shxqrqhx\shxqrqhx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AC7.tmp" "c:\Users\Admin\AppData\Local\Temp\shxqrqhx\CSC5BD2E7BD2BF4466595289C3AF819C7B.TMP"
    3⤵
    PID:1412
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6571.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6979.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3AC7.tmp

Filesize
1KB

MD5
d03bc03e460897a4268dc695def3e858

SHA1
8c9c130f42ea4a0ecd69ca74b622c3140dee7193

SHA256
f4cc2a1e80ddf1f231b2bd09796aafffa0e2df4c5cdd2aeec6a4f67933c439c1

SHA512
e28854538856089df7da8e3d018f0da4707a41218322c4a1384f88d55306cbca7cbc506d47e883558379529b737517b205efacd1d14311d05458fe60fe691ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\shxqrqhx\shxqrqhx.dll

Filesize
9KB

MD5
1243ee7a7d3a68b248777cee8ed27ccb

SHA1
800fdce72a524a6cbf415b68bbe9d17098c5e18f

SHA256
7bdbd17ad214c2715e602f38f23702b60849c29bb1127ff059f53d09f7e9c0c5

SHA512
efde0f24e6742e5a0ae41dc8bcacefe6efb27b0100f26bacb53c537d3b15c4742b8f8a4381be522e04fac270a5828778da7420ffa163ef19e0451f3b090fb953

Download Submit
C:\Users\Admin\AppData\Local\Temp\shxqrqhx\shxqrqhx.pdb

Filesize
27KB

MD5
8f64eb6e56b7e376faacac84da5e64e4

SHA1
515583bba0a983fb29c069b098f26fdc4028af94

SHA256
560860109c07ffd0567bce30c99e7fd18974107606860b4f23f8c065d3009683

SHA512
dca63ad50b1fe7c7874a85da1e64d6d221943b6660394e81bff9bc480b7d815123432fabff866da172f860a433e997589784515ee3221ebd6b81263b432581d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6571.tmp

Filesize
4KB

MD5
ffac57f3af894e11bc3b35a6f57e8d3e

SHA1
24fbd90d6dd2a857714504f95d0943fd8c19ac92

SHA256
76b287236dd90b8bd6d7ea8df80a6e0ce7267270de339c028d5965c6f7a242a6

SHA512
f504f37eb536ec0c84923be7944b14c4a21e39db27f657c9bb0a4f3fe00573f31589233bb0bd4b43add65498863d384cfd8508ea18fa339415a5265d2f8264b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shxqrqhx\CSC5BD2E7BD2BF4466595289C3AF819C7B.TMP

Filesize
1KB

MD5
bec97bb3a226398dc6b138616cf004ac

SHA1
67e7f05dd5c7dc339f331a4f3f529d7fc055e148

SHA256
07acdaf6036af6da048d4581df3e296cdb549900588db5a1f612a808916fbe2e

SHA512
1fdb2ffd74ba8e4f103f8d262f282ab8f9496d096c64292295af7ebfeadb0cb987d78922fdd7eb7b3f57a3b4941dcd6a5ba613484c46b2d6899db828f7676cc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shxqrqhx\shxqrqhx.0.cs

Filesize
17KB

MD5
1eed8b456610b069b7fb3bc76ddbec96

SHA1
9b17e2f62631775b89cca34c1cdc9ea9fbd3d4ba

SHA256
2bba3ab6332f7a3196ee3b0ee29ffac3e1cf206803b96f7a7b39a261ddd741b1

SHA512
c950a13ae648284f0c0b4090a57f45c68a0393055085ab8d74ca7363d3bc7985be6962546510fa5655e85d2f7c1037a008591556a1c4e979443e5ea11364c801

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shxqrqhx\shxqrqhx.cmdline

Filesize
312B

MD5
566230a0679b96d0b98000144a921dfd

SHA1
7790f9554e9df0542aa0277d377c81528d3669b3

SHA256
7e1ba34ab84f70b586f14f7c51a0229abaa49f64b9488ac9e6b5dd5bfdd69057

SHA512
204d2d2caea9eca1bba97a5e3965cb9183babc541aba61fd0359886471614f27e0d3bee936f28d016d50b3f97a0aa1f9c2afb36ca56df911c569201c458ec822

Download Submit
memory/1096-4-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1096-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/1096-3-0x0000000005970000-0x0000000005978000-memory.dmp

Filesize
32KB

Download
memory/1096-2-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/1096-19-0x00000000059A0000-0x00000000059A8000-memory.dmp

Filesize
32KB

Download
memory/1096-21-0x0000000005DF0000-0x0000000005E8A000-memory.dmp

Filesize
616KB

Download
memory/1096-22-0x00000000059C0000-0x00000000059CC000-memory.dmp

Filesize
48KB

Download
memory/1096-23-0x0000000005E90000-0x0000000005F20000-memory.dmp

Filesize
576KB

Download
memory/1096-24-0x0000000005FC0000-0x000000000605C000-memory.dmp

Filesize
624KB

Download
memory/1096-1-0x0000000000DB0000-0x0000000000E76000-memory.dmp

Filesize
792KB

Download
memory/1096-27-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/3640-40-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/3640-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3640-35-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3640-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3640-34-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4896-30-0x0000000071180000-0x0000000071731000-memory.dmp

Filesize
5.7MB

Download
memory/4896-28-0x0000000071182000-0x0000000071183000-memory.dmp

Filesize
4KB

Download
memory/4896-29-0x0000000071180000-0x0000000071731000-memory.dmp

Filesize
5.7MB

Download
memory/4896-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4896-47-0x0000000071182000-0x0000000071183000-memory.dmp

Filesize
4KB

Download
memory/4896-48-0x0000000071180000-0x0000000071731000-memory.dmp

Filesize
5.7MB

Download
memory/5092-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5092-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5092-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download