hawkeye_reborn | 880a8e92a551eadbe2100603827a0f37146b7d8bd32dca0d571dd153b2b46e0d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
Size

750KB
MD5

1ff187482465cab97f45861705d4aea8
SHA1

014219f8768444e4a2c8bc0519c4869d4537f419
SHA256

880a8e92a551eadbe2100603827a0f37146b7d8bd32dca0d571dd153b2b46e0d
SHA512

647b687774cd9cf4a71605021e34d68972381d694405d358dc3627ef262bcabbb15f09da62503c548840c2bd423d7b1c2af50cfb800ee022f6ea91ed50cb16f1
SSDEEP

12288:YhHe7H2bIKv7J4nDCrLuIeOgSkb94+NCjjq09eW3IKaIt1frZhAQap2svLxHw:++7H2FJucpeO3khc/IWIItN+v

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/4532-25-0x0000000005670000-0x0000000005700000-memory.dmp	m00nd3v_logger
behavioral2/memory/5092-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4032-41-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4032-42-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4032-44-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3676-32-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3676-33-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3676-39-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/3676-32-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3676-33-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3676-39-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4032-41-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4032-42-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4032-44-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfVYLH.url	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4532 set thread context of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 5092 set thread context of 3676	5092	RegAsm.exe	105
PID 5092 set thread context of 4032	5092	RegAsm.exe	106

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
5092	RegAsm.exe
5092	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
Token: SeDebugPrivilege	5092	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	RegAsm.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4656	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	83
PID 4532 wrote to memory of 4656	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	83
PID 4532 wrote to memory of 4656	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	83
PID 4656 wrote to memory of 4704	4656	csc.exe	86
PID 4656 wrote to memory of 4704	4656	csc.exe	86
PID 4656 wrote to memory of 4704	4656	csc.exe	86
PID 4532 wrote to memory of 3400	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	87
PID 4532 wrote to memory of 3400	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	87
PID 4532 wrote to memory of 3400	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	87
PID 4532 wrote to memory of 2744	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	89
PID 4532 wrote to memory of 2744	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	89
PID 4532 wrote to memory of 2744	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	89
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 4532 wrote to memory of 5092	4532	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	91
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 3676	5092	RegAsm.exe	105
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106
PID 5092 wrote to memory of 4032	5092	RegAsm.exe	106

C:\Users\Admin\AppData\Local\Temp\1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqq0z4hn\mqq0z4hn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34DB.tmp" "c:\Users\Admin\AppData\Local\Temp\mqq0z4hn\CSC149085E3BAA4204BCC7BFE928A6A8C.TMP"
    3⤵
    PID:4704
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /query
  2⤵
  PID:3400
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /sc MINUTE /tn RfVYLH /MO 1 /tr "C:\Users\Admin\AppData\Roaming\000000\sys32null.exe\
  2⤵
  - Creates scheduled task(s)
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6050.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6458.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES34DB.tmp

Filesize
1KB

MD5
dbf0fda739840b6c00ff91e30d44ee81

SHA1
d2e748193993c31ec52b9f0f500b097db07bc487

SHA256
ada9e6229a5f57e4de6b032efd4483637e59e450358a6ebccd73bd2b4c5b3657

SHA512
bab5e78eff2fa50c86bb6f5b7f80aab5329769e1e367ed633aa05fa8a9f5e607c8ff89f1f2791aebb622744af112c40198061fe3990581b3237a047d6b45cf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqq0z4hn\mqq0z4hn.dll

Filesize
7KB

MD5
41d75b16183bce8545891005ef5f425d

SHA1
ab8e7306b47ba8934c5a73fdfe1cc345ed831cdc

SHA256
c0952da8dfb1fd25e7f54584995ea6190397ee87448010366513aa873f0a6a74

SHA512
5d6ae9847fe26d19bdd64442a85d4520b1f12e507e5ac6efc8ce7048bfde1ced49bac868384e9b983707211c0594c1072d0b6bc601b5181481f852956a63db6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqq0z4hn\mqq0z4hn.pdb

Filesize
19KB

MD5
84050e1ff4677bf1d17a5173dc9bc7ae

SHA1
5d6b3568c443770212e9fff2a4c058814e30c677

SHA256
c03babc32e55a23f3e8f7844871e216233ba245eb2790b36e5d9132aa19c1b79

SHA512
0b19226d0240bd4d4fc57358e61759b1c37260dddf640c21ca4ef4ecd0a70609a17177a91075567a66039733ddcb576915272f607d24aa5b1d51112e1e6640eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6050.tmp

Filesize
4KB

MD5
3d79772cb52eae57a5e761a5d3d466e7

SHA1
89f87216378db8908209f16f8f6349763cc0e080

SHA256
eb857706074df8614a393dded51282eff46bf5781df31f06e1b369141012e4b0

SHA512
956a0fa6152cec091e42fc450ebf380b76887e4e4f7fbee9a540fe3f7f67f039ad1acb2301269d34df90e3db3f10ef1bb42f5ecdc3a81d1d77023b4b4aeee707

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mqq0z4hn\CSC149085E3BAA4204BCC7BFE928A6A8C.TMP

Filesize
1KB

MD5
2564342446314dc5fd0ab5ee45c6aae2

SHA1
7f209c56534faba9da161f3d6722d8cc5706e8a7

SHA256
a324811b789020171159c25e46f8a07d097c7ba4dc1e766e243cfbd956f14670

SHA512
abc936d76d1c2e7260ebd5969520030a9ed5393564efb13ff30e6379067c7e22d229d7336c095fe187e600945cdab5e5d94932d04e2ce755662142f9574d8b0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mqq0z4hn\mqq0z4hn.0.cs

Filesize
5KB

MD5
673ecdec7f6b53899d44e694f054022b

SHA1
06d169aa1909b8a2a78fdca41762ac2f5a36b54f

SHA256
fe1d99724cfc9c4c95353eed185ea53e96bfac440b2ee4837bd7ee226025a488

SHA512
f820d06b03a30afcd116c53559f119a61fd9aded2157d7db4b6b81af7557ecb48aa20247f081b7eaff5a701148ce0b0a7035faa77725cbae405a4a4317f27537

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mqq0z4hn\mqq0z4hn.cmdline

Filesize
312B

MD5
578de14e361479b5f49780a3dd2662ed

SHA1
cafb65ddcad99eb28def2b334db7d27d8edbc0c2

SHA256
97aff7e48b88c56545de214feba6051fc260e500b3eea06ab078a9e03fbea9a1

SHA512
a79dbc3a32ae2eae418366eddabb1ae28cb431ddee51df35421fc7ce2d4ef0e7730ad49caa53904b581cfc9f9ba9eb68f9e39c1ddc4ce25f9ffd2e5c1748fc7e

Download Submit
memory/3676-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3676-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3676-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4032-41-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4032-42-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4032-43-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/4032-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4532-21-0x00000000055D0000-0x000000000566A000-memory.dmp

Filesize
616KB

Download
memory/4532-26-0x00000000057A0000-0x000000000583C000-memory.dmp

Filesize
624KB

Download
memory/4532-29-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4532-25-0x0000000005670000-0x0000000005700000-memory.dmp

Filesize
576KB

Download
memory/4532-22-0x00000000050D0000-0x00000000050DC000-memory.dmp

Filesize
48KB

Download
memory/4532-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/4532-19-0x0000000005070000-0x0000000005078000-memory.dmp

Filesize
32KB

Download
memory/4532-4-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4532-3-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/4532-2-0x0000000004F70000-0x0000000005002000-memory.dmp

Filesize
584KB

Download
memory/4532-1-0x0000000000570000-0x0000000000632000-memory.dmp

Filesize
776KB

Download
memory/5092-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5092-30-0x0000000074BD0000-0x0000000074BF4000-memory.dmp

Filesize
144KB

Download