hawkeye_reborn | c7f427fc88416af7ea99c1f0f469e4ff7c7f758b29daa78bdbab9ab83f1ce569

General

Target

47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe
Size

702KB
MD5

47da4d3bf793afa1031e56f5b134386d
SHA1

1414910b990f88f2c17d26c4754b101be524a45d
SHA256

c7f427fc88416af7ea99c1f0f469e4ff7c7f758b29daa78bdbab9ab83f1ce569
SHA512

1e3dbd03ecf735f29e05eae89ecce00788627aa3fbf9817ae91a6994c177355ba925f742808cc52a6cfa57fa6509b221d3365447c47832eb9240665966c3e803
SSDEEP

12288:bmB+N54kL2uW2m0e/h80S8+FUU2+dfp0XPZZsKk7OHA1XItXKi4gA:w+j4M2Cm0uQ2+B0f9csTXKrg

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
[email protected]
Password:
Rule@.#1

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/3840-11-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3840-16-0x0000000007380000-0x00000000073F6000-memory.dmp	MailPassView
behavioral2/memory/3036-32-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3036-34-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3036-35-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3036-37-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3840-16-0x0000000007380000-0x00000000073F6000-memory.dmp	WebBrowserPassView
behavioral2/memory/116-20-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/116-22-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/116-23-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/116-30-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral2/memory/3840-16-0x0000000007380000-0x00000000073F6000-memory.dmp	Nirsoft
behavioral2/memory/116-20-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/116-22-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/116-23-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/116-30-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3036-32-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3036-34-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3036-35-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3036-37-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 3840 set thread context of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 set thread context of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe
3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe
Token: SeDebugPrivilege	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 2488 wrote to memory of 3840	2488	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	95
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 116	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	97
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98
PID 3840 wrote to memory of 3036	3840	47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp36DB.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\47da4d3bf793afa1031e56f5b134386d_JaffaCakes118.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp

Filesize
4KB

MD5
a13985d129d8bf808cec12f9fe7b4ed3

SHA1
3981490aa1ce9401c4470f0277fda627d9236356

SHA256
d3a2b4e44262cfbfb97652de5f54b36bfc525396d1d70dea03ab24c902dab8ef

SHA512
5c990ca4e978b874e0863ad4bf1ccbe04499960d5c17fb16776297d22db5f168aa3a5a9863ec5a9f8286dda2f9fd96852f2dc2ef029c13ba659e33694c344887

Download Submit
memory/116-28-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/116-30-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/116-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/116-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/116-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2488-7-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/2488-1-0x0000000000F80000-0x0000000001038000-memory.dmp

Filesize
736KB

Download
memory/2488-9-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/2488-10-0x0000000009CD0000-0x0000000009D6C000-memory.dmp

Filesize
624KB

Download
memory/2488-8-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2488-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2488-2-0x0000000007EB0000-0x0000000007FD0000-memory.dmp

Filesize
1.1MB

Download
memory/2488-15-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/2488-3-0x0000000005AC0000-0x0000000005AE0000-memory.dmp

Filesize
128KB

Download
memory/2488-4-0x0000000008580000-0x0000000008B24000-memory.dmp

Filesize
5.6MB

Download
memory/2488-5-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/2488-6-0x0000000008080000-0x0000000008112000-memory.dmp

Filesize
584KB

Download
memory/3036-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3036-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3036-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3036-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3840-18-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/3840-17-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3840-16-0x0000000007380000-0x00000000073F6000-memory.dmp

Filesize
472KB

Download
memory/3840-14-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3840-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3840-38-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3840-39-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads