hawkeye | 4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5 | Triage

Submit
Reports

Overview

overview

Static

static

3

5327761769...18.exe

windows7-x64

5327761769...18.exe

windows10-2004-x64

Sharing

General

Target

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118
Size

1.1MB
Sample

240518-fsrj6sdb7w
MD5

53277617691e152fa4c3c4d8e829cb98
SHA1

27ea079be2661093bb51dc3f8bb446ce23442805
SHA256

4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5
SHA512

ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d
SSDEEP

24576:nUMXIaug4/aJTMxiveFrZTssjbSEmsY6hnZggGEzHSz:U8/MaJoo2FrZIsjbS76hSlEzSz

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe

Resource

win7-20240221-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe

Resource

win10v2004-20240508-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
moneyY23@@YYCK

Targets

- Target
  
  53277617691e152fa4c3c4d8e829cb98_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  53277617691e152fa4c3c4d8e829cb98
- SHA1
  
  27ea079be2661093bb51dc3f8bb446ce23442805
- SHA256
  
  4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5
- SHA512
  
  ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d
- SSDEEP
  
  24576:nUMXIaug4/aJTMxiveFrZTssjbSEmsY6hnZggGEzHSz:U8/MaJoo2FrZIsjbS76hSlEzSz
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Scripting

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy