hawkeye_reborn | 8b53a2b8c804e804fa38afd4a125d56531aaef531b3f6ed49dfede9707114212

General

Target

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Size

840KB
MD5

8512059f4dbd6dae13068ab29d5624fd
SHA1

34b93471fd0337bcb6009f8f6579c632bb108bc5
SHA256

8b53a2b8c804e804fa38afd4a125d56531aaef531b3f6ed49dfede9707114212
SHA512

e8a31a508fb438d9a780aa4fabdef91351a3d0ec1ef435d1ca28cceda9fca4a2e21fb70d0a025d5fa6d2d003c5f8d11e63d19810aa9f7439be5ab015afd3201e
SSDEEP

24576:Wm0FAM1fguBqMpHK+J7FfIcCvuKz+ydlF:e1IepvTIcCvu8B

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4064-25-0x0000000005BD0000-0x0000000005C60000-memory.dmp	m00nd3v_logger
behavioral2/memory/3736-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/684-48-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/684-46-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/684-45-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3324-37-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3324-36-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3324-34-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3324-43-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3324-37-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3324-36-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3324-34-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3324-43-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/684-48-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/684-46-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/684-45-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNBzPu.url	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 4064 set thread context of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 3736 set thread context of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 set thread context of 684	3736	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exevbc.exeRegAsm.exe

pid	process
4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3324	vbc.exe
3736	RegAsm.exe
3736	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4064 8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Token: SeDebugPrivilege 3736 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

3736 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
Token: SeDebugPrivilege	3736	RegAsm.exe

pid	process
3736	RegAsm.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.execsc.exeRegAsm.exe

description	pid	process	target process
PID 4064 wrote to memory of 3260	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	csc.exe
PID 4064 wrote to memory of 3260	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	csc.exe
PID 4064 wrote to memory of 3260	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	csc.exe
PID 3260 wrote to memory of 4504	3260	csc.exe	cvtres.exe
PID 3260 wrote to memory of 4504	3260	csc.exe	cvtres.exe
PID 3260 wrote to memory of 4504	3260	csc.exe	cvtres.exe
PID 4064 wrote to memory of 2788	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 2788	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 2788	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3656	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3656	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3656	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 4064 wrote to memory of 3736	4064	8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe	RegAsm.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 3324	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe
PID 3736 wrote to memory of 684	3736	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8512059f4dbd6dae13068ab29d5624fd_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipcsvncg\ipcsvncg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33A3.tmp" "c:\Users\Admin\AppData\Local\Temp\ipcsvncg\CSC4B0B67CD131D41578D276E628C29B16D.TMP"
3⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5DA1.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp61B8.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES33A3.tmp
Filesize
1KB

MD5
2340a80fb5b6e321e60896b6c8d2d8e7

SHA1
4ce4ad19f5eda6a0ce3515c3399617b2e14ec591

SHA256
7a0adb65281f51fd82ee5a609970c4c118e5465824378c5fed138b30f9387ff3

SHA512
83d378295d76932e3a3ede2f88379520585b56a53ff37a4d5a8bfcb1301fe115491c7ee9638094cc812fee9f3a07ae207cad217eb4f4b9c9c05f8e923dbacb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipcsvncg\ipcsvncg.dll
Filesize
10KB

MD5
ac89f3407bfe587e2a2e2663ef61aeae

SHA1
fc9b2a1752b92597bd969827a1b9c4fe05b18b9e

SHA256
acad1f93841746c6101e63735ce88531a37dfc0c45cc29ec07ea35dcfc3a22a8

SHA512
d38339175d3605cf1aa0c1cd47f34ed7bd759bc1ebbd57a137997ec0fe3cd5bb88fd7d842263bed0ec47a881adaf9511af2772adca4e08d8ecf7408160b11813

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipcsvncg\ipcsvncg.pdb
Filesize
27KB

MD5
58c7ea6702b6d26661390dac3cdb88fc

SHA1
35112fa8e796138ead5effdbd263523fc910d15c

SHA256
5b0c04c928a49d99c16c4e682249d4c1b6f2c77b05740257f41caa3d93b87c84

SHA512
48683e7f594b505ce9872cb85a043ec18fe48989b539c9578c62b59630e4b6e4576612b6c221862ef0a145a1ede78f605aa4334f6eb1761ac9f8340e7126af41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DA1.tmp
Filesize
4KB

MD5
788d7419b32411807cc6753cbbccecbe

SHA1
761b99a1e5bc168f525181d78cff3f6ed82daa14

SHA256
76150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b

SHA512
3003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipcsvncg\CSC4B0B67CD131D41578D276E628C29B16D.TMP
Filesize
1KB

MD5
3a923da0caed7b909981dd2cf5a0975b

SHA1
c4e4e4bc417ca7a19a44acd4ebac48bccf0d5e7b

SHA256
4e74377735ba8e980630eb979b6f18459e2b568b5c1fe65f5345e869d6c8af2b

SHA512
070abfb6a450afdfcd8916098c5a47ba87c59d8b739c71e9baa5add5b2a9eef31b415c4ec12bd0f021d030dfaaf8cc37c266ca19ec8aa7c03d4e3d17ddd9a300

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipcsvncg\ipcsvncg.0.cs
Filesize
15KB

MD5
1e5b368788cb07f893eb1cc66b63523c

SHA1
0a755a99d1fcc5a1edf9987886d24b22ed874258

SHA256
527242363fd157202abe19490f40c98ad3429c9839057f7dd3ce6bd7e92a6040

SHA512
20088339279c6260463ff8e7a7457ef25ef99e2314b1711942f46cc8626b7d2a23de3b21d9f827f2d826cdc4bd10a50634e6fa37f19798b53d9c915d3f1f7597

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipcsvncg\ipcsvncg.cmdline
Filesize
312B

MD5
83d9d692639e98923edf68ed720c4644

SHA1
e378e4a6b6c1b2afef3a49b33a618ca9ea7eaaa9

SHA256
47e21a86b9994025e068bf3ab60b986177ee788de2cc35d5ac39ead9469e8745

SHA512
1d762dfbf01dca0204d3da8b5c700651c9d7a02c7056f13b22246238bf14308b308e9c733c47cee104e7f1f877b6e38a0ea90f6f3425a0903086fc2538b2a888

Download Submit
memory/684-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/684-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/684-48-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/684-47-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3324-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3324-37-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3324-34-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3324-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3736-50-0x0000000071490000-0x0000000071A41000-memory.dmp

Filesize
5.7MB

Download
memory/3736-49-0x0000000071492000-0x0000000071493000-memory.dmp

Filesize
4KB

Download
memory/3736-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3736-30-0x0000000071492000-0x0000000071493000-memory.dmp

Filesize
4KB

Download
memory/3736-31-0x0000000071490000-0x0000000071A41000-memory.dmp

Filesize
5.7MB

Download
memory/3736-32-0x0000000071490000-0x0000000071A41000-memory.dmp

Filesize
5.7MB

Download
memory/4064-29-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-22-0x0000000005BB0000-0x0000000005BBC000-memory.dmp

Filesize
48KB

Download
memory/4064-25-0x0000000005BD0000-0x0000000005C60000-memory.dmp

Filesize
576KB

Download
memory/4064-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/4064-19-0x00000000055F0000-0x00000000055F8000-memory.dmp

Filesize
32KB

Download
memory/4064-4-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-3-0x00000000054E0000-0x00000000054E8000-memory.dmp

Filesize
32KB

Download
memory/4064-2-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/4064-1-0x0000000000AE0000-0x0000000000BB8000-memory.dmp

Filesize
864KB

Download
memory/4064-26-0x0000000005D00000-0x0000000005D9C000-memory.dmp

Filesize
624KB

Download
memory/4064-21-0x0000000005B10000-0x0000000005BAA000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads