hawkeye | 8db60922ef95a644bfb0dced7bed12037c2045b842a2525b2b13713659a997b3

Analysis

max time kernel
124s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe
Size

987KB
MD5

5bd63568e12753b7d4c1c3132f60b6ed
SHA1

c4dd12a2142102d979be73457f500d10ea7572cd
SHA256

8db60922ef95a644bfb0dced7bed12037c2045b842a2525b2b13713659a997b3
SHA512

82c3ab207dea015862f9163079cabfe69fcb27f58730d93372cf7704a3cddc0944b348a624e9b19ff5f9b7756f402aa8095d24df2800f62da04ba4467e6bdd5b
SSDEEP

24576:XQRRRRRRRRRRRRRRRRRRRRRtOperrOUj6k7ZqC30Qa/1T/lQ5m1zYHB3wMAx0ZDt:XQRRRRRRRRRRRRRRRRRRRRRtak7Zx7ae

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2160-27-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/2160-28-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/2160-21-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/2956-36-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2956-34-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2956-38-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2956-40-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2160-27-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/2160-28-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/2160-21-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/2800-42-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2800-41-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2800-45-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2160-27-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/2160-28-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/2160-21-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/2956-36-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2956-34-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2956-38-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2956-40-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2800-42-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2800-41-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2800-45-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

FDbYJGPJIMHHJYLOXhFYW.cmd

pid	Process
2028	FDbYJGPJIMHHJYLOXhFYW.cmd

Loads dropped DLL 1 IoCs

Processes:

5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe

pid	Process
2740	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	whatismyipaddress.com
7	whatismyipaddress.com
4	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

FDbYJGPJIMHHJYLOXhFYW.cmdRegAsm.exe

description	pid	Process	procid_target
PID 2028 set thread context of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2160 set thread context of 2956	2160	RegAsm.exe	31
PID 2160 set thread context of 2800	2160	RegAsm.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description	pid	Process
Token: SeDebugPrivilege	2160	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid	Process
2160	RegAsm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exeFDbYJGPJIMHHJYLOXhFYW.cmdRegAsm.exe

description	pid	Process	procid_target
PID 2740 wrote to memory of 2028	2740	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe	28
PID 2740 wrote to memory of 2028	2740	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe	28
PID 2740 wrote to memory of 2028	2740	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe	28
PID 2740 wrote to memory of 2028	2740	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2028 wrote to memory of 2160	2028	FDbYJGPJIMHHJYLOXhFYW.cmd	29
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2956	2160	RegAsm.exe	31
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32
PID 2160 wrote to memory of 2800	2160	RegAsm.exe	32

C:\Users\Admin\AppData\Local\Temp\5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FDbYJGPJIMHHJYLOXhFYW.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FDbYJGPJIMHHJYLOXhFYW.cmd SbiDRFVKIIiZJASONeU
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SbiDRFVKIIiZJASONeU

Filesize
47KB

MD5
8f8bdd3f46607ec723e7b0c62d295f8e

SHA1
afdc803abca61bc47aa6950cab358487178b4fa1

SHA256
9720771a54ff3a6a9fd80672594f342cb110ae2b9188bb02b71b6f9b17c15dc2

SHA512
5c49f396cd77da118e1057240ec21eeb030416abb9f19c05a44b013a707ab54107d5d9c30c63589ac1d1304dd8e34e3d07d891adfa0ea3f933666f9797ed472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YOiBCgOKTMSG

Filesize
502KB

MD5
bdc680640772c0c6e62844909f2d001e

SHA1
15202a5ebb783518319a9456eb30a9b13a22dbc5

SHA256
a7750c69e11868fa5dbf52abbc35f62b454d9e29df45046eadf835bb3d5db091

SHA512
61bf6557525a397613707d5f03176cf78355572745e0891913702cebdecbe23c972915c16830f399ef7c3edc6bbb50cc494b965442eb65205fd61080aa430726

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\FDbYJGPJIMHHJYLOXhFYW.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/2028-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2160-28-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2160-27-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2160-21-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2160-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-31-0x00000000744C2000-0x00000000744C4000-memory.dmp

Filesize
8KB

Download
memory/2160-48-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-47-0x00000000744C2000-0x00000000744C4000-memory.dmp

Filesize
8KB

Download
memory/2160-37-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-20-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2800-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2800-41-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2800-45-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2800-44-0x0000000000460000-0x00000000005E1000-memory.dmp

Filesize
1.5MB

Download
memory/2956-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download