hawkeye | 9d117fd08c16840b8824c177b0e66fd82ec07a69b96b65f7132f142ae8ea6992 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

4dede04585...18.exe

windows7-x64

4dede04585...18.exe

windows10-2004-x64

Sharing

General

Target

4dede04585657972185c523b4a281889_JaffaCakes118
Size

984KB
Sample

240517-b72w8sca32
MD5

4dede04585657972185c523b4a281889
SHA1

bcfcec8578f63204a9dfabd2423b5d4ff5cf63ca
SHA256

9d117fd08c16840b8824c177b0e66fd82ec07a69b96b65f7132f142ae8ea6992
SHA512

d3324f4b4fc93f968ceceb9d15c079b73bcdb6caaeeee4158ad9a3216175bdc5e01e73b99cc61a1f05d35236dee0a16f4a447c344c868cdfd0cd9fd92c18193c
SSDEEP

12288:TePopiYFKOYCTnzbE3gWaBh1S0yagjHMbiZxE/XGchkLSkzQ4tMUQvAwnWlIVD6c:TwYFKOY1gW+hQ0yaC86xcGGkLLkNv

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4dede04585657972185c523b4a281889_JaffaCakes118.exe

Resource

win7-20240221-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

4dede04585657972185c523b4a281889_JaffaCakes118.exe

Resource

win10v2004-20240508-en

windows10-2004-x64

0 signatures

150 seconds

Malware Config

Targets

- Target
  
  4dede04585657972185c523b4a281889_JaffaCakes118
- Size
  
  984KB
- MD5
  
  4dede04585657972185c523b4a281889
- SHA1
  
  bcfcec8578f63204a9dfabd2423b5d4ff5cf63ca
- SHA256
  
  9d117fd08c16840b8824c177b0e66fd82ec07a69b96b65f7132f142ae8ea6992
- SHA512
  
  d3324f4b4fc93f968ceceb9d15c079b73bcdb6caaeeee4158ad9a3216175bdc5e01e73b99cc61a1f05d35236dee0a16f4a447c344c868cdfd0cd9fd92c18193c
- SSDEEP
  
  12288:TePopiYFKOYCTnzbE3gWaBh1S0yagjHMbiZxE/XGchkLSkzQ4tMUQvAwnWlIVD6c:TwYFKOY1gW+hQ0yaC86xcGGkLLkNv
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.