hawkeye_reborn | 4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181

General

Target

3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
Size

881KB
MD5

3fe7d81139bd40361330a07f47bb99e1
SHA1

391bc516fe8e1feae96fb3c7c31bcccec4fa20e6
SHA256

4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181
SHA512

f22e4e2fa6be336cd26fb46f9b7d9cc656670f6c8abf5283e1cd35e718a95a53145937adc70036fc7cf850234c9090b05a190bafd9ae2ad20d9bf8441103f63e
SSDEEP

24576:nLCwk7wqvxM/lttDB2jLRE2x5yY5oCCea:wxMrDkLRn5t58j

Score

10^/10

hawkeye_reborn collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: ftp
Host:
ftp.kagabo.net
Port:
21
Username:
[email protected]
Password:
muN5j#u{1BT!

Mutex

1bc13938-5cd4-41e5-af60-e3e8be7d4823

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:5 _FTPPassword:muN5j#u{1BT! _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.kagabo.net _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1bc13938-5cd4-41e5-af60-e3e8be7d4823 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/748-56-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/748-58-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/748-59-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/748-61-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/3028-34-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/3028-36-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/3028-37-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/3028-41-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3028-34-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/3028-36-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/3028-37-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/3028-41-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/748-56-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/748-58-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/748-59-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/748-61-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe

description	pid	process	target process
PID 1252 set thread context of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 2152 set thread context of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 set thread context of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exevbc.exe

pid	process
1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
3028	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1252 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe

pid process

2152 3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe

pid	process
2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe

description	pid	process	target process
PID 1252 wrote to memory of 1164	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1164	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1164	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1164	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1384	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1384	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1384	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1384	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1904	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1904	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1904	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1904	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1740	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1740	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1740	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 1740	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 1252 wrote to memory of 2152	1252	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 3028	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe
PID 2152 wrote to memory of 748	2152	3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
"{path}"
2⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
"{path}"
2⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
"{path}"
2⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
"{path}"
2⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\3fe7d81139bd40361330a07f47bb99e1_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9CCC.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8EAA.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:748

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9CCC.tmp
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/748-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-48-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-3-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1252-0-0x0000000074701000-0x0000000074702000-memory.dmp

Filesize
4KB

Download
memory/1252-19-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1252-2-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1252-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2152-20-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-6-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2152-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2152-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2152-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2152-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2152-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2152-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2152-17-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-18-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-43-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-39-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/3028-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-28-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-30-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-37-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-36-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads