hawkeye | 8f635cc8326d76a55e41207ea05fc883cfaf7814c5f4a9004780011309504431

General

Target

36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe
Size

537KB
MD5

36e8030d0946c331b4a667385163cb72
SHA1

4ea151afd9a99d82b7f9bbdeda9de9268e16cf5d
SHA256

8f635cc8326d76a55e41207ea05fc883cfaf7814c5f4a9004780011309504431
SHA512

5373fb48f7344f5e754e5ba5aa9098011b98863fbfdc4a8a4a37515692f606d6b5038c732a97d9d1317965fe3e6b2f26fba0f4f17f922f5e79577607016b62b1
SSDEEP

12288:ad6E5JTIFqdt2yHczPA1ZQ6UVIrSAa5iQF4Na:ad55JTvtHcuQ6UVIDa5i8O

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
alibaba123

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3928-29-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3928-31-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3928-32-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3928-34-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3928-29-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3928-31-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3928-32-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3928-34-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

2196 Windows Update.exe
Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

2196 Windows Update.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2196	Windows Update.exe

pid	process
2196	Windows Update.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 checkip.dyndns.org

flow	ioc
24	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows Update.exe

description	pid	process	target process
PID 2196 set thread context of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 set thread context of 3044	2196	Windows Update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

36e8030d0946c331b4a667385163cb72_JaffaCakes118.exeWindows Update.exevbc.exe

pid	process
3892	36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe
3892	36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe
2196	Windows Update.exe
2196	Windows Update.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
3044	vbc.exe
2196	Windows Update.exe
2196	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

36e8030d0946c331b4a667385163cb72_JaffaCakes118.exeWindows Update.exe

description pid process

Token: SeDebugPrivilege 3892 36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe
Token: SeDebugPrivilege 2196 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

2196 Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	3892	36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe
Token: SeDebugPrivilege	2196	Windows Update.exe

pid	process
2196	Windows Update.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

36e8030d0946c331b4a667385163cb72_JaffaCakes118.exeWindows Update.exe

description	pid	process	target process
PID 3892 wrote to memory of 2196	3892	36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe	Windows Update.exe
PID 3892 wrote to memory of 2196	3892	36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe	Windows Update.exe
PID 3892 wrote to memory of 2196	3892	36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe	Windows Update.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3928	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe
PID 2196 wrote to memory of 3044	2196	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36e8030d0946c331b4a667385163cb72_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:3928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holderwb.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
84B

MD5
16aae4f865a722f7ead179aa07490922

SHA1
6fed5b176894bace1a09b0e42f5c64a02bd6f1e8

SHA256
3c6eb241c7965e08508e0530efc6254fb525a1c34d070502ec2623a53adcd2bc

SHA512
d03d0a29df3334996f8161f402ffccfb8e1efd48a0389d1d9df6c43eaf537348a556bbd68de8acb1d308d6908026df562ffc330f1ce7c5348a5be5b4356656cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
4KB

MD5
10fa8ec140c204486092fb161e567ec7

SHA1
4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473

SHA256
7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04

SHA512
9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
537KB

MD5
36e8030d0946c331b4a667385163cb72

SHA1
4ea151afd9a99d82b7f9bbdeda9de9268e16cf5d

SHA256
8f635cc8326d76a55e41207ea05fc883cfaf7814c5f4a9004780011309504431

SHA512
5373fb48f7344f5e754e5ba5aa9098011b98863fbfdc4a8a4a37515692f606d6b5038c732a97d9d1317965fe3e6b2f26fba0f4f17f922f5e79577607016b62b1

Download Submit
memory/2196-17-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/2196-22-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/2196-48-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/2196-47-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/2196-19-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/2196-23-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/2196-20-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3044-37-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3044-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3044-46-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3044-35-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3892-2-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3892-3-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3892-21-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3892-0-0x0000000074C32000-0x0000000074C33000-memory.dmp

Filesize
4KB

Download
memory/3892-1-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3892-4-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3928-31-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3928-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3928-33-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3928-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3928-29-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads