hawkeye_reborn | 8f9d2e33c94bbc8fe8b0fcab9053188b913b2c933aa705da4cc531c849413b4b

General

Target

794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Size

804KB
MD5

794572b7847795cca2d50681b80552a2
SHA1

98efe39680402d00bdf35f0e5d8e0a2aee89a940
SHA256

8f9d2e33c94bbc8fe8b0fcab9053188b913b2c933aa705da4cc531c849413b4b
SHA512

7282f2f91a4ea85efc52e57716de52c5c1891cbd2fe17ede01f3d38105947a642130fe2b8dc675b36850e632535c3ea923bc17925faba7a4ce37908fafed603d
SSDEEP

12288:mV0sGl6QsJCP6RaO+Y0/fRXJScFzg2hOkKIgQjXJjlP:maPoQI+6RaOsDrFg24ydZRP

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1148-23-0x0000000004600000-0x0000000004690000-memory.dmp	m00nd3v_logger
behavioral1/memory/2724-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2724-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2724-34-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2724-32-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2724-30-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2416-65-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2416-64-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2416-67-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2920-48-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2920-49-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2920-51-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2920-48-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2920-49-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2920-51-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2416-65-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2416-64-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2416-67-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rydjydtku.url	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 1148 set thread context of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 2724 set thread context of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 set thread context of 2416	2724	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exevbc.exeRegAsm.exe

pid	process
1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
2920	vbc.exe
2920	vbc.exe
2920	vbc.exe
2920	vbc.exe
2920	vbc.exe
2724	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1148 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Token: SeDebugPrivilege 2724 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2724 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Token: SeDebugPrivilege	2724	RegAsm.exe

pid	process
2724	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.execsc.exeRegAsm.exe

description	pid	process	target process
PID 1148 wrote to memory of 1324	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	csc.exe
PID 1148 wrote to memory of 1324	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	csc.exe
PID 1148 wrote to memory of 1324	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	csc.exe
PID 1148 wrote to memory of 1324	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	csc.exe
PID 1324 wrote to memory of 2548	1324	csc.exe	cvtres.exe
PID 1324 wrote to memory of 2548	1324	csc.exe	cvtres.exe
PID 1324 wrote to memory of 2548	1324	csc.exe	cvtres.exe
PID 1324 wrote to memory of 2548	1324	csc.exe	cvtres.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1148 wrote to memory of 2724	1148	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2920	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe
PID 2724 wrote to memory of 2416	2724	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\794572b7847795cca2d50681b80552a2_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqoikkp5\dqoikkp5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10F2.tmp" "c:\Users\Admin\AppData\Local\Temp\dqoikkp5\CSCDF23BECC227A461DB8EC8F66A98396D.TMP"
    3⤵
    PID:2548
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3B4C.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2CEB.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES10F2.tmp

Filesize
1KB

MD5
38adbf16ef066a4803d80f90e94dd698

SHA1
2974cf44cd5dda60946a9c75fd492d5a92a91b15

SHA256
087dafee329c8686d9d8fdb521ca06f011a3eee3cc74b953338a934952c28e4e

SHA512
ea58c6f8b19f7fea08d690293a7b5accf23b1537a72a84f3cfc62b5a48dc53fbf4f60b3d8ec398bfb948aec29008ce064ea927850f5d7963afb79c7a8d8e66f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqoikkp5\dqoikkp5.dll

Filesize
6KB

MD5
3c95e528d3cc1b39b392fc18f0ee54b6

SHA1
a9e49c83276a8299a52621fe04ed5bf6fd8c635e

SHA256
5ec4ca4e51e460ba8dc865bac4f252e39fca839fd0fe329087d7ab63ac158251

SHA512
7e7705a516fb16fabb079822b04709093774fa0b6b6011da4d51b07bb7a033705e24fc8f59d73403bd5958831368d180d9f796553910bb305d055434be5b78ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqoikkp5\dqoikkp5.pdb

Filesize
15KB

MD5
6ba8887149ebf307730cd783e5287736

SHA1
e02d5a81e15cb1196fe8d1719028e07763e1317a

SHA256
00948dc1467fd6bcab2b7b37f4107bc747b120f33ec0686d64446c0c0faafd98

SHA512
19c64e9ef3fa54c85c3313e4b8334eaf61cc2869e28328d15748267670e312c3d0924b03fe59282c73bbbc81a956e4ad29cea592b17426e7f2e2509ae51ffe86

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B4C.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dqoikkp5\CSCDF23BECC227A461DB8EC8F66A98396D.TMP

Filesize
1KB

MD5
5d5aac222cc26d7195a47bbecef068eb

SHA1
ac3289e782b32db3d12dae69349283198789d01a

SHA256
c2f334d40b5be3a2e3f87632fd928bf610c12af77399dc33c655b921886d8d68

SHA512
48b719d988160bd23109a5d153bd973b78210ab2942a6e42149d848218ab24ea0c3ade102615426df8669c53f00b8dd9cb24c7451691630ea82fea9a0e7481a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dqoikkp5\dqoikkp5.0.cs

Filesize
2KB

MD5
4d9fe73afe0fa2bcb6c17e81676ab87e

SHA1
098cb8aaef8c6fe2ca91e697dd510dc7af73f13a

SHA256
5a6e61d92bbc56a411666a1bfd88bfa18718f57f1c46034b73d47c68b8bbe0c7

SHA512
68113fb819029c47aba607782ab87c413ea109c25d9009c665f069ad3826c6f014f0ec58a10f5de57a9ac129be03402ea932ddb28e0d52589112d666e52fa93b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dqoikkp5\dqoikkp5.cmdline

Filesize
312B

MD5
8b19409cbd49d2526013510973786ff4

SHA1
458e33998d2cdd91bfd579468b9b49ff28dcef3b

SHA256
81602c98184d6326005152a438f61771023cc71865ac1d44c529d7dcc50b12fa

SHA512
7ff06d692ba278074689c3fef46116d436402be56f60890f1ffbe3dcd558409af619b584a00c64c8d34ac27cc5fa8e3f73e1527047871033d52b7b463445d20d

Download Submit
memory/1148-23-0x0000000004600000-0x0000000004690000-memory.dmp

Filesize
576KB

Download
memory/1148-0-0x000000007416E000-0x000000007416F000-memory.dmp

Filesize
4KB

Download
memory/1148-5-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/1148-19-0x0000000004F40000-0x0000000004FDA000-memory.dmp

Filesize
616KB

Download
memory/1148-20-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/1148-1-0x0000000001040000-0x00000000010F8000-memory.dmp

Filesize
736KB

Download
memory/1148-17-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/1148-35-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-66-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2416-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2724-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2724-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2724-24-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2724-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2724-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2724-32-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2724-30-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2920-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-37-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-41-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads