hawkeye | 8db60922ef95a644bfb0dced7bed12037c2045b842a2525b2b13713659a997b3

General

Target

5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe
Size

987KB
MD5

5bd63568e12753b7d4c1c3132f60b6ed
SHA1

c4dd12a2142102d979be73457f500d10ea7572cd
SHA256

8db60922ef95a644bfb0dced7bed12037c2045b842a2525b2b13713659a997b3
SHA512

82c3ab207dea015862f9163079cabfe69fcb27f58730d93372cf7704a3cddc0944b348a624e9b19ff5f9b7756f402aa8095d24df2800f62da04ba4467e6bdd5b
SSDEEP

24576:XQRRRRRRRRRRRRRRRRRRRRRtOperrOUj6k7ZqC30Qa/1T/lQ5m1zYHB3wMAx0ZDt:XQRRRRRRRRRRRRRRRRRRRRRtak7Zx7ae

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1256-18-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/3152-33-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3152-35-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3152-31-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1256-18-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/408-36-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/408-37-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/408-44-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1256-18-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/3152-33-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3152-35-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3152-31-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/408-36-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/408-37-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/408-44-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

FDbYJGPJIMHHJYLOXhFYW.cmd

pid	Process
3932	FDbYJGPJIMHHJYLOXhFYW.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	whatismyipaddress.com
16	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

FDbYJGPJIMHHJYLOXhFYW.cmdRegAsm.exe

description	pid	Process	procid_target
PID 3932 set thread context of 1256	3932	FDbYJGPJIMHHJYLOXhFYW.cmd	92
PID 1256 set thread context of 3152	1256	RegAsm.exe	104
PID 1256 set thread context of 408	1256	RegAsm.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid	Process
408	vbc.exe
408	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description	pid	Process
Token: SeDebugPrivilege	1256	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid	Process
1256	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exeFDbYJGPJIMHHJYLOXhFYW.cmdRegAsm.exe

description	pid	Process	procid_target
PID 3104 wrote to memory of 3932	3104	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe	90
PID 3104 wrote to memory of 3932	3104	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe	90
PID 3104 wrote to memory of 3932	3104	5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe	90
PID 3932 wrote to memory of 1256	3932	FDbYJGPJIMHHJYLOXhFYW.cmd	92
PID 3932 wrote to memory of 1256	3932	FDbYJGPJIMHHJYLOXhFYW.cmd	92
PID 3932 wrote to memory of 1256	3932	FDbYJGPJIMHHJYLOXhFYW.cmd	92
PID 3932 wrote to memory of 1256	3932	FDbYJGPJIMHHJYLOXhFYW.cmd	92
PID 3932 wrote to memory of 1256	3932	FDbYJGPJIMHHJYLOXhFYW.cmd	92
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 3152	1256	RegAsm.exe	104
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108
PID 1256 wrote to memory of 408	1256	RegAsm.exe	108

C:\Users\Admin\AppData\Local\Temp\5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bd63568e12753b7d4c1c3132f60b6ed_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FDbYJGPJIMHHJYLOXhFYW.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FDbYJGPJIMHHJYLOXhFYW.cmd SbiDRFVKIIiZJASONeU
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:3152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FDbYJGPJIMHHJYLOXhFYW.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SbiDRFVKIIiZJASONeU

Filesize
47KB

MD5
8f8bdd3f46607ec723e7b0c62d295f8e

SHA1
afdc803abca61bc47aa6950cab358487178b4fa1

SHA256
9720771a54ff3a6a9fd80672594f342cb110ae2b9188bb02b71b6f9b17c15dc2

SHA512
5c49f396cd77da118e1057240ec21eeb030416abb9f19c05a44b013a707ab54107d5d9c30c63589ac1d1304dd8e34e3d07d891adfa0ea3f933666f9797ed472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YOiBCgOKTMSG

Filesize
502KB

MD5
bdc680640772c0c6e62844909f2d001e

SHA1
15202a5ebb783518319a9456eb30a9b13a22dbc5

SHA256
a7750c69e11868fa5dbf52abbc35f62b454d9e29df45046eadf835bb3d5db091

SHA512
61bf6557525a397613707d5f03176cf78355572745e0891913702cebdecbe23c972915c16830f399ef7c3edc6bbb50cc494b965442eb65205fd61080aa430726

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
memory/408-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/408-44-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/408-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1256-18-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1256-28-0x00000000740C0000-0x0000000074671000-memory.dmp

Filesize
5.7MB

Download
memory/1256-27-0x00000000740C0000-0x0000000074671000-memory.dmp

Filesize
5.7MB

Download
memory/1256-26-0x00000000740C0000-0x0000000074671000-memory.dmp

Filesize
5.7MB

Download
memory/1256-23-0x00000000740C2000-0x00000000740C3000-memory.dmp

Filesize
4KB

Download
memory/1256-45-0x00000000740C0000-0x0000000074671000-memory.dmp

Filesize
5.7MB

Download
memory/1256-46-0x00000000740C2000-0x00000000740C3000-memory.dmp

Filesize
4KB

Download
memory/1256-47-0x00000000740C0000-0x0000000074671000-memory.dmp

Filesize
5.7MB

Download
memory/3152-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3152-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3152-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3932-17-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads