hawkeye_reborn | 8b53a2b8c804e804fa38afd4a125d56531aaef531b3f6ed49dfede9707114212

General

Target

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Size

840KB
MD5

8512059f4dbd6dae13068ab29d5624fd
SHA1

34b93471fd0337bcb6009f8f6579c632bb108bc5
SHA256

8b53a2b8c804e804fa38afd4a125d56531aaef531b3f6ed49dfede9707114212
SHA512

e8a31a508fb438d9a780aa4fabdef91351a3d0ec1ef435d1ca28cceda9fca4a2e21fb70d0a025d5fa6d2d003c5f8d11e63d19810aa9f7439be5ab015afd3201e
SSDEEP

24576:Wm0FAM1fguBqMpHK+J7FfIcCvuKz+ydlF:e1IepvTIcCvu8B

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/2184-24-0x0000000005090000-0x0000000005120000-memory.dmp	m00nd3v_logger
behavioral1/memory/2504-28-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2504-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2504-31-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2504-33-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2504-35-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1244-65-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1244-66-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1244-68-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1976-50-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1976-49-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1976-52-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1976-50-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1976-49-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1976-52-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1244-65-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1244-66-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1244-68-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNBzPu.url	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 2184 set thread context of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2504 set thread context of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 set thread context of 1244	2504	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exevbc.exeRegAsm.exe

pid	process
2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
1976	vbc.exe
1976	vbc.exe
1976	vbc.exe
1976	vbc.exe
1976	vbc.exe
2504	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2184 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Token: SeDebugPrivilege 2504 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2504 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Token: SeDebugPrivilege	2504	RegAsm.exe

pid	process
2504	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.execsc.exeRegAsm.exe

description	pid	process	target process
PID 2184 wrote to memory of 1672	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	csc.exe
PID 2184 wrote to memory of 1672	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	csc.exe
PID 2184 wrote to memory of 1672	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	csc.exe
PID 2184 wrote to memory of 1672	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	csc.exe
PID 1672 wrote to memory of 2528	1672	csc.exe	cvtres.exe
PID 1672 wrote to memory of 2528	1672	csc.exe	cvtres.exe
PID 1672 wrote to memory of 2528	1672	csc.exe	cvtres.exe
PID 1672 wrote to memory of 2528	1672	csc.exe	cvtres.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2184 wrote to memory of 2504	2184	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1976	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe
PID 2504 wrote to memory of 1244	2504	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ppegjfjr\ppegjfjr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11BC.tmp" "c:\Users\Admin\AppData\Local\Temp\ppegjfjr\CSC9EB21C6B4BC4449EB0E56E645AF455BB.TMP"
3⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3BA9.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES11BC.tmp

Filesize
1KB

MD5
1019c68c188910b18709b230cd25c5c3

SHA1
7ab2508ae220aca9d556fc1f0c330ba28907a64c

SHA256
e958cc731a459fa657f17f221d7ad3e87ff421d851bba013fa6fb907c13058b6

SHA512
656e430432da7719cd8303b77760757b694ecbc027e673f4828ec45d3036e2526901e69ba1c31a5f57813f8595186c200258f3cd767770f58b3eadcefac4d6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppegjfjr\ppegjfjr.dll

Filesize
10KB

MD5
4bbf6646d89596ada6ee810dfbea076f

SHA1
b10bdd5ef8f6bc7a71e5bc557ba71510c03c42a5

SHA256
c1d5efbb84f3f4869fb720dce86567b066815d0e258f0cf331611b7e410248cf

SHA512
ee4438273d04ba06f1fa753e85c327651abd0901b211fbf45067869c086f57b7750a5a37e73515b38af8fe67d2a1de43a63e23e14e4adc19f15da5ef2f17e766

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppegjfjr\ppegjfjr.pdb

Filesize
27KB

MD5
74a120e9a42e51d22b191e5236dacf8b

SHA1
e12feb9002f9007dddadd372fc09ef9a9ffca64b

SHA256
d14689ca7496aad8c7a848f337ca60551fd9024c7c81f2551bcf67f4757a5e2e

SHA512
d9cd511bce705c58d5afaa8427c9bbee73b0b1597f24c1cd180d765a7368e0ade7979105cd995e0db597478d5908b66a27f7d30254bd7a93774d6f063858ac85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BA9.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ppegjfjr\CSC9EB21C6B4BC4449EB0E56E645AF455BB.TMP

Filesize
1KB

MD5
4d2f44e27e90eb7b641456651de4c68b

SHA1
0ac2520c1a7a74c371d53527b63d1f99f44188e3

SHA256
20ff1f59d26c9d173a711bba7296505d4dcdf41ef062d7d4abc4407a6f375f5f

SHA512
88ad08de8699f09c8361cd691a9cc6e79ca4ff85f39b13a573a973dc99a1739b4b7b59bb42d73a1cd54375102c4025aa584fe01d787d6c93e9233e21fbf127ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ppegjfjr\ppegjfjr.0.cs

Filesize
15KB

MD5
1e5b368788cb07f893eb1cc66b63523c

SHA1
0a755a99d1fcc5a1edf9987886d24b22ed874258

SHA256
527242363fd157202abe19490f40c98ad3429c9839057f7dd3ce6bd7e92a6040

SHA512
20088339279c6260463ff8e7a7457ef25ef99e2314b1711942f46cc8626b7d2a23de3b21d9f827f2d826cdc4bd10a50634e6fa37f19798b53d9c915d3f1f7597

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ppegjfjr\ppegjfjr.cmdline

Filesize
312B

MD5
0e74bd307993a7a7ad330a955810094d

SHA1
e7ba7a162ba7e2d7377a5699a727878a9f1ade16

SHA256
51a51579a4708318f4fb445ebc2025bf0abbc4c461157a848a148b4d58257cc4

SHA512
9bd3995fe934912f289a546e973a5092746c9fb8e6c3eab66050017d282ad895d6dcd0d383295f54bd2885f7c022f1f49e26c6fcd00885d3b73de3ce1aedb595

Download Submit
memory/1244-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1244-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1244-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1244-68-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1244-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1244-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1244-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1244-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1976-38-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-52-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-44-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-46-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1976-50-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2184-24-0x0000000005090000-0x0000000005120000-memory.dmp

Filesize
576KB

Download
memory/2184-21-0x0000000001E60000-0x0000000001E6C000-memory.dmp

Filesize
48KB

Download
memory/2184-1-0x0000000000220000-0x00000000002F8000-memory.dmp

Filesize
864KB

Download
memory/2184-36-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-2-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2184-3-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-0-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2184-18-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2184-20-0x0000000004FF0000-0x000000000508A000-memory.dmp

Filesize
616KB

Download
memory/2504-31-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-28-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2504-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-35-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-33-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads