hawkeye | 4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Size

1.1MB
MD5

53277617691e152fa4c3c4d8e829cb98
SHA1

27ea079be2661093bb51dc3f8bb446ce23442805
SHA256

4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5
SHA512

ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d
SSDEEP

24576:nUMXIaug4/aJTMxiveFrZTssjbSEmsY6hnZggGEzHSz:U8/MaJoo2FrZIsjbS76hSlEzSz

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
moneyY23@@YYCK

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2496-54-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2496-52-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2496-49-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/1536-58-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1536-59-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1536-61-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2496-54-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2496-52-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2496-49-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2500-62-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2500-67-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2500-63-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2496-54-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2496-52-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2496-49-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/1536-58-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1536-59-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1536-61-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2500-62-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2500-67-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2500-63-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

filename.exefilename.exe

pid process

2668 filename.exe
2496 filename.exe
Loads dropped DLL 4 IoCs

Processes:

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exefilename.exedw20.exe

pid process

2740 53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
2740 53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
2668 filename.exe
1868 dw20.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2668	filename.exe
2496	filename.exe

pid	process
2740	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
2740	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
2668	filename.exe
1868	dw20.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

filename.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Desktop\\filename.exe"	filename.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Desktop\\filename.exe"	filename.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 whatismyipaddress.com
12 whatismyipaddress.com
13 whatismyipaddress.com

flow	ioc
10	whatismyipaddress.com
12	whatismyipaddress.com
13	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

filename.exefilename.exe

description	pid	process	target process
PID 2668 set thread context of 2496	2668	filename.exe	filename.exe
PID 2496 set thread context of 1536	2496	filename.exe	vbc.exe
PID 2496 set thread context of 2500	2496	filename.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

filename.exe

pid process

2496 filename.exe

pid	process
2496	filename.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exefilename.exefilename.exe

description	pid	process
Token: SeDebugPrivilege	2740	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	filename.exe
Token: SeDebugPrivilege	2496	filename.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

filename.exe

pid process

2496 filename.exe

pid	process
2496	filename.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exefilename.exefilename.exe

description	pid	process	target process
PID 2740 wrote to memory of 2668	2740	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe	filename.exe
PID 2740 wrote to memory of 2668	2740	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe	filename.exe
PID 2740 wrote to memory of 2668	2740	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe	filename.exe
PID 2740 wrote to memory of 2668	2740	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2668 wrote to memory of 2496	2668	filename.exe	filename.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1536	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 2500	2496	filename.exe	vbc.exe
PID 2496 wrote to memory of 1868	2496	filename.exe	dw20.exe
PID 2496 wrote to memory of 1868	2496	filename.exe	dw20.exe
PID 2496 wrote to memory of 1868	2496	filename.exe	dw20.exe
PID 2496 wrote to memory of 1868	2496	filename.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\Desktop\filename.exe
"C:\Users\Admin\Desktop\filename.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\Desktop\filename.exe
"C:\Users\Admin\Desktop\filename.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:1536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1084
4⤵
- Loads dropped DLL
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6
Filesize
1KB

MD5
13affd7ca33dffe5e0c718ae0c8b77b0

SHA1
b4d5ba26fb29de5423119b234347fc0e3261bb3f

SHA256
7ca93293e1b412edaf65243efdb05653b67f2fe0c9e863472ae5688660650f91

SHA512
6d77b1b93b4fc166f1cb27e57f302f8781355eb2ae4e27a8a8bbc16ff2af84a26cdfc8a12d152e0e2838abde4a50911ebbbf11332d8b9b567854619aa3b195d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
404B

MD5
65ef063c06b6880e4b881819d4ed9294

SHA1
abb3dd2af0054a4e0e4c37632740e0adef5a1f68

SHA256
960c0f346188e61af576c68483754c13e426d921ad148c04df5b07607812c801

SHA512
c03716c3eb1caef647a41c8f77cb48ad06d2296ea2dc670683c891caf48e1cb20f385188235cff76c850f41bbcb505e35ee89e766d1921668c5896bfac991545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
Filesize
188B

MD5
040075ff61593971de7e2377976c38c9

SHA1
9439066d6a24a56ce024f1dde145c7735574cdbe

SHA256
6a3feef5cd5e7ab75b2639c517ffa30b6b54926efd5f2765d74c3a56ea01989d

SHA512
42fc578f80c4597540d5deb9deecf97dbb59df46c0862dc7f0647d185b09ffa663144bb8b7a29fd183ad749f0334a5046978e9180449559039670fa6f1607165

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
07b7ca8afc90a8de4e0fa958f74ba8d8

SHA1
4700d5eb4a82b85fdc32d260ebc9dd8a93024fe3

SHA256
0591f07c198a4c8a9432458e9099f17d5ae29d06efe8d54a148fb833818a4a35

SHA512
a335bc86e69d4abc3063bf839df4bc790063c3a06e9875c98b6c444ae6f49245c6d1a4ad858b42ed5b60424af04c6c8bd0d3ea99d2a187603af39b0f1c355a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6
Filesize
398B

MD5
cd8a0342f0d493dd3dcbdbaa82eb9cb0

SHA1
f198b9bdeee94eb87b68397df68ec419ae0eb047

SHA256
09bbf59e8d6ec3cfbb301474c8e19d4d92dcf5e101f9353984c62b0338576f50

SHA512
f5239fb6931be0e5439db76afba11923ea167ab482ad18769f514d3df0ab900b7d78f18acfe3721de6eb9db4d9ff054abc78db2ed992bc1b617964c905d1d2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B00.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\Desktop\filename.exe
Filesize
1.1MB

MD5
53277617691e152fa4c3c4d8e829cb98

SHA1
27ea079be2661093bb51dc3f8bb446ce23442805

SHA256
4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5

SHA512
ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d

Download Submit
memory/1536-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2496-69-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-54-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2496-52-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2496-49-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2496-55-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-62-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2500-67-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2500-63-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2668-68-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-32-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-0-0x0000000074C41000-0x0000000074C42000-memory.dmp

Filesize
4KB

Download
memory/2740-33-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-1-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download