hawkeye_reborn | 314aec84e8bc95e59b62e69580e6f0525a53e0914c50c89da8f81cc84f93cf42

General

Target

6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe
Size

900KB
MD5

6dff832f07ea61ef0fa90d148cf09509
SHA1

6831f7896e97c992593474731cbfa6fb1a45e698
SHA256

314aec84e8bc95e59b62e69580e6f0525a53e0914c50c89da8f81cc84f93cf42
SHA512

7cf036e2238e280da5f2b2d3134f80ddd10cc90fdbba7115bed4dcd038cf61026db81757c3ba968cec0378334cada10ea7ae673be6d9bbb875c78798f6ed9047
SSDEEP

24576:KKOQZ1K7cdUIV4+M3EaRfUP6KbHkLYzCcpYsK5LExBMS:KKOQG7cVM3r1iHFzCMYskIw

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/3704-22-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3704-25-0x0000000005130000-0x00000000051A6000-memory.dmp	MailPassView
behavioral2/memory/3228-37-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3228-38-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3228-39-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3704-25-0x0000000005130000-0x00000000051A6000-memory.dmp	WebBrowserPassView
behavioral2/memory/2332-28-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2332-29-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2332-35-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3704-25-0x0000000005130000-0x00000000051A6000-memory.dmp	Nirsoft
behavioral2/memory/2332-28-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2332-29-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2332-35-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3228-37-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3228-38-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3228-39-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

app.exe

pid process

3112 app.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3112	app.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

app.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\app.exe -boot"	app.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

app.exeRegAsm.exe

description	pid	process	target process
PID 3112 set thread context of 3704	3112	app.exe	RegAsm.exe
PID 3704 set thread context of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 set thread context of 3228	3704	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

vbc.exe

pid process

2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
2332 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exeapp.exe

description pid process

Token: SeDebugPrivilege 4508 6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe
Token: SeDebugPrivilege 3112 app.exe

pid	process
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe
2332	vbc.exe

description	pid	process
Token: SeDebugPrivilege	4508	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe
Token: SeDebugPrivilege	3112	app.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.execmd.exeapp.exeRegAsm.exe

description	pid	process	target process
PID 4508 wrote to memory of 3776	4508	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe	cmd.exe
PID 4508 wrote to memory of 3776	4508	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe	cmd.exe
PID 4508 wrote to memory of 3776	4508	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe	cmd.exe
PID 4508 wrote to memory of 1508	4508	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe	cmd.exe
PID 4508 wrote to memory of 1508	4508	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe	cmd.exe
PID 4508 wrote to memory of 1508	4508	6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe	cmd.exe
PID 1508 wrote to memory of 3112	1508	cmd.exe	app.exe
PID 1508 wrote to memory of 3112	1508	cmd.exe	app.exe
PID 1508 wrote to memory of 3112	1508	cmd.exe	app.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3112 wrote to memory of 3704	3112	app.exe	RegAsm.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 2332	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe
PID 3704 wrote to memory of 3228	3704	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\6dff832f07ea61ef0fa90d148cf09509_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\app.exe"
2⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\app.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\app.exe
"C:\Users\Admin\AppData\Local\app.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF7C9.tmp"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFBE0.tmp"
5⤵
- Accesses Microsoft Outlook accounts
PID:3228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF7C9.tmp
Filesize
4KB

MD5
18b6368b183e546a35847ae24b4b2913

SHA1
040545f7ac2c987d2a79b5e7f1cf9ab83bd25923

SHA256
54c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af

SHA512
68ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698

Download Submit
C:\Users\Admin\AppData\Local\app.exe
Filesize
900KB

MD5
6dff832f07ea61ef0fa90d148cf09509

SHA1
6831f7896e97c992593474731cbfa6fb1a45e698

SHA256
314aec84e8bc95e59b62e69580e6f0525a53e0914c50c89da8f81cc84f93cf42

SHA512
7cf036e2238e280da5f2b2d3134f80ddd10cc90fdbba7115bed4dcd038cf61026db81757c3ba968cec0378334cada10ea7ae673be6d9bbb875c78798f6ed9047

Download Submit
memory/2332-35-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2332-34-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/2332-29-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2332-28-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3112-19-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3112-20-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3112-24-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3112-17-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3112-18-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3112-21-0x00000000087D0000-0x000000000886C000-memory.dmp

Filesize
624KB

Download
memory/3228-39-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3228-38-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3228-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3704-22-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3704-25-0x0000000005130000-0x00000000051A6000-memory.dmp

Filesize
472KB

Download
memory/3704-26-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/4508-4-0x0000000005C70000-0x0000000005D50000-memory.dmp

Filesize
896KB

Download
memory/4508-6-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4508-7-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4508-5-0x00000000058B0000-0x00000000058CE000-memory.dmp

Filesize
120KB

Download
memory/4508-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/4508-3-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/4508-2-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/4508-1-0x0000000000E60000-0x0000000000F4A000-memory.dmp

Filesize
936KB

Download
memory/4508-13-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4508-11-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4508-10-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads