hawkeye_reborn | 39da82aec5faf855d0e6c320cf9381f5f01f08dd4eb149790a07d71ea5f9fa95

General

Target

1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
Size

937KB
MD5

1364992369a3d4b3b9fde7bd25887335
SHA1

74d4425da265cca1b665daee821cced920289a16
SHA256

39da82aec5faf855d0e6c320cf9381f5f01f08dd4eb149790a07d71ea5f9fa95
SHA512

8d92a3fd67e19e6bbc9d529cd07999a4deecb761bf5c7aa1fc8af64e4e526a22fe549d07bdef4590ced3f5350c4de514857306848b6ab955de1399e16eeed782
SSDEEP

12288:36o/xuDT9T8aP8dSfWy8i/bvKziF7j2w2BTwR6ry9msEUOOgGwbP8u7:k3QXy8i/bvkTHry9m/UOOgGcV

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/744-25-0x0000000005BF0000-0x0000000005C80000-memory.dmp	m00nd3v_logger
behavioral2/memory/3172-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.url	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

description pid process target process

PID 744 set thread context of 3172 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe RegAsm.exe

flow	ioc
24	bot.whatismyipaddress.com

description	pid	process	target process
PID 744 set thread context of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

pid	process
744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 744 1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 744 wrote to memory of 1656	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	csc.exe
PID 744 wrote to memory of 1656	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	csc.exe
PID 744 wrote to memory of 1656	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	csc.exe
PID 1656 wrote to memory of 3620	1656	csc.exe	cvtres.exe
PID 1656 wrote to memory of 3620	1656	csc.exe	cvtres.exe
PID 1656 wrote to memory of 3620	1656	csc.exe	cvtres.exe
PID 744 wrote to memory of 4624	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 4624	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 4624	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3396	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3396	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3396	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe
PID 744 wrote to memory of 3172	744	1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1364992369a3d4b3b9fde7bd25887335_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qgyzk3fb\qgyzk3fb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4779.tmp" "c:\Users\Admin\AppData\Local\Temp\qgyzk3fb\CSCF77E605BC1A2414CA0637DA886BD0C9.TMP"
3⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:4624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4779.tmp
Filesize
1KB

MD5
127362501203ad7262775871d8449229

SHA1
00ee38253a1bc2fe9e88a3e18eea5d6338f6aa6a

SHA256
1014ee74f061aa733c2d8dd7c23e6cae4a9178d66eae74c081d6357afcad7e9d

SHA512
a3a9fb063b19d528260fe3dfc84c5734d43f495b2ae7cf99cc7b5cb197ecd68fd3bbf0d951df773a414c843c9ad60478f2c4cc9ffe62a37f892dfabf41af44ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgyzk3fb\qgyzk3fb.dll
Filesize
8KB

MD5
7f4b4a467033bfc513a76a50bfc4c02b

SHA1
c42c013063ff8e0f373106d0c3d1ac9128d962ec

SHA256
8d1d701136315df2ac725c38e3445722cdaefe0a50bba0c33605eeed1b63b801

SHA512
274b77fecddb511ba5a7462fcf99af9415045a00b7bb199de96c9b7fabfa1fe8f1c9ae7be18c945540d94cee9bbf02f92ee19955e4f1302b487db3e6d7332590

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgyzk3fb\qgyzk3fb.pdb
Filesize
23KB

MD5
adfa900b0f7238fdf289f1ab7fb3878c

SHA1
155256be8c1ccafbdaee8a212a565cd7fc57ee43

SHA256
b1fbb8fd61a587a5380014d69e821652ef4011bb14a17e732e9046fe0980d720

SHA512
a79157bd21f4fd080a070b6ed8380cd9e8648e39c264a9999149ba12c7f0b4cb6a8bb95c16d03022c9758c438d5e8837db4c386c239f213c9d2ebfc4c0ac2a07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgyzk3fb\CSCF77E605BC1A2414CA0637DA886BD0C9.TMP
Filesize
1KB

MD5
7a8cb698ec30624e35b7f0383e36a07b

SHA1
3232146e8ef4ba248ee77082fe59c0f64744bdec

SHA256
6a6033f81d44e10c3ee207e4ca4fcb3e4b666237b3180bdfd73625fce73cbe6a

SHA512
4fda294338da6bbe43ab94798bd04d3c0c705ae46ca93a7c3be24e218f885a599b37299b86af03aaf6a8871bc02ff159010fbe1e38ccd84b78bd646d9914fc76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgyzk3fb\qgyzk3fb.0.cs
Filesize
10KB

MD5
f8936db8cda421561333bbd6b6dfc4fc

SHA1
8fc5c4503609360f480c6f5982e59cd3d7ac1ce2

SHA256
57150d9e80b21e69e7f5b2053a3f429a53983d1ae0510824e9d74fb06cadaec5

SHA512
b9049c70936817a3567286540c2f52d5c21f4f7bff4a3f2475e5a42e86cd448657b100483256f8d40344eb8f4b5351ea12529dea1faf51dde529f613deb98406

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgyzk3fb\qgyzk3fb.cmdline
Filesize
312B

MD5
237d13f74da8be05b6165f1283d4b81c

SHA1
144e64eb61e2bb453236842e6ed2bd9a9f1bd4d6

SHA256
ceaf3392b6d9f9c25ccfb5eac432ec855ffd1b8b843827843de68dece25e6778

SHA512
79860481a8ae803799227268ed09e2e793fdd3da9f7ce7e14454e559e488cbba6e542e93e644f6ec938c3136e326df540a9020478dddf06690d7f8231703941e

Download Submit
memory/744-25-0x0000000005BF0000-0x0000000005C80000-memory.dmp

Filesize
576KB

Download
memory/744-21-0x0000000005B50000-0x0000000005BEA000-memory.dmp

Filesize
616KB

Download
memory/744-3-0x00000000014E0000-0x00000000014E8000-memory.dmp

Filesize
32KB

Download
memory/744-2-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/744-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/744-19-0x0000000005520000-0x0000000005528000-memory.dmp

Filesize
32KB

Download
memory/744-4-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/744-22-0x0000000005730000-0x000000000573C000-memory.dmp

Filesize
48KB

Download
memory/744-1-0x0000000000C30000-0x0000000000CEE000-memory.dmp

Filesize
760KB

Download
memory/744-26-0x0000000005D20000-0x0000000005DBC000-memory.dmp

Filesize
624KB

Download
memory/744-29-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/3172-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3172-30-0x0000000074F12000-0x0000000074F13000-memory.dmp

Filesize
4KB

Download
memory/3172-31-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-32-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-35-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads