hawkeye_reborn | 376b073f2248a13be1b834e616d9625cddf689b36258bf42143efded46ea67f6

General

Target

85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
Size

780KB
MD5

85e41a65ff21c6d4d41df8e23bffa808
SHA1

b22a88e0a71d7d6d248f403fb8ba989af1911fa2
SHA256

376b073f2248a13be1b834e616d9625cddf689b36258bf42143efded46ea67f6
SHA512

95c4b121b8146f7d970c848cc46880295c8b19fb5eb60158439cf52aeac0b9cb744052ffaac8df3d26272093ea2e3e39d357069f7ddb31e514fe25cf322e4652
SSDEEP

12288:ICG20qQOGFoJDQ+GqAFuFUld+gpH1OHMhrhBKu3fN:ICuqtioJDQ9qQuGX+gpH1OcBn

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/2236-22-0x00000000051D0000-0x0000000005260000-memory.dmp	m00nd3v_logger
behavioral1/memory/2868-33-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2868-31-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2868-29-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2868-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2868-25-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/856-64-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/856-65-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/856-67-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2940-47-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2940-48-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2940-51-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-47-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2940-48-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2940-51-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/856-64-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/856-65-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/856-67-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 2236 set thread context of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2868 set thread context of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 set thread context of 856	2868	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exevbc.exeRegAsm.exe

pid	process
2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2868	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2236 85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
Token: SeDebugPrivilege 2868 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2868 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
Token: SeDebugPrivilege	2868	RegAsm.exe

pid	process
2868	RegAsm.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.execsc.exeRegAsm.exe

description	pid	process	target process
PID 2236 wrote to memory of 1748	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	csc.exe
PID 2236 wrote to memory of 1748	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	csc.exe
PID 2236 wrote to memory of 1748	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	csc.exe
PID 2236 wrote to memory of 1748	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	csc.exe
PID 1748 wrote to memory of 3044	1748	csc.exe	cvtres.exe
PID 1748 wrote to memory of 3044	1748	csc.exe	cvtres.exe
PID 1748 wrote to memory of 3044	1748	csc.exe	cvtres.exe
PID 1748 wrote to memory of 3044	1748	csc.exe	cvtres.exe
PID 2236 wrote to memory of 2756	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2756	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2756	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2756	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2756	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2756	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2756	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2236 wrote to memory of 2868	2236	85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe	RegAsm.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 2940	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe
PID 2868 wrote to memory of 856	2868	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85e41a65ff21c6d4d41df8e23bffa808_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctk1tpi3\ctk1tpi3.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D20.tmp" "c:\Users\Admin\AppData\Local\Temp\ctk1tpi3\CSC9BDDA4FA227408DB14B4BE8241FE54C.TMP"
3⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp59A6.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:856

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3D20.tmp
Filesize
1KB

MD5
81519f9ae21c1b0e26b9554c0d53a48f

SHA1
8edf3d3ff0b302835623b39b7e879f0e4edba8dd

SHA256
2f2d6cf9d6949e1ed8bde03267e75fe635ea92b2b45cde164c376a35b83493e2

SHA512
f3ec4a7f943d0babc60427acafefb4b2f89ca6cbe7dba78c054e817ecdc139ae8009c0426ff3711138f0cb347c98684cb7b5f0d79311cd4cc28fa24fe705598b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctk1tpi3\ctk1tpi3.dll
Filesize
8KB

MD5
2c53291329d662ce2acaee76e8fedb47

SHA1
78a40e2b37d2f6e2c0c141b637fce8d18cfc61a7

SHA256
65a36e27a3c92119ae49805b7392ae7e7385272c9dbe64e5a1f503e9e50ceabf

SHA512
ad40d2437ffa996fff10df50954a41ff562954471b5a51113ec6af9dbf1ad4a3a40b78c5b6b454a28f5c0f180995e9b2039a9c84856a65e4e852e856bcb54a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctk1tpi3\ctk1tpi3.pdb
Filesize
21KB

MD5
417310d9aa7bd9f48e169c1cbf89ee1a

SHA1
dc0072b6bbfff83ae5c8a26fd80233d3ccdf3b8f

SHA256
768bf8827b8c11f48993c0d447f7be00d98c49c0096cd2bcd6ba808df972171a

SHA512
0c4fa7e8ee2514401fa01c9f2c1c493b0528758c28f6f59937c8136e418a3ed0aa2c2ae2f451c38d1a98da4efaf00474b8f7422499e9430f8f16f69db7a33074

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctk1tpi3\CSC9BDDA4FA227408DB14B4BE8241FE54C.TMP
Filesize
1KB

MD5
33d3dfd2b08e0128e08740c6aec4db52

SHA1
08d315d97e1e1a867f5495356b5ccc2f4dfd992c

SHA256
98c2100adbdd9bb866c915d2ed244614b888413299e053fc02452922c72ce9bd

SHA512
6ea9db43718521b0cac4b49342dbeb3924a061288b915b645c7661482c6eea29a1791074f6cd9cbf06d3089b2f70d5d4b82235e6bf367df4516acdd33425fe7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctk1tpi3\ctk1tpi3.0.cs
Filesize
10KB

MD5
fde945a51e5fdf1543bea4a9931b85da

SHA1
67921637ed634306472665592bbbf54a38c75a41

SHA256
aa679b2aa59d772a437935e146a2caf13e84a3efbdb7eae4ddfb3403460c6051

SHA512
39b307d8737da828765b23eb9066dd81c1767ee64844815a2570bae2065cdb24b90bc644c913810b7746d0f13720013526fe685370b5ff425e8f6c76b3baa785

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctk1tpi3\ctk1tpi3.cmdline
Filesize
312B

MD5
1b3301b5cd46a0739a4fdeaf7c22595d

SHA1
789bfaf2f684f0262f9f27709561bdb0f0165345

SHA256
f1477e22c01d44dd66be4e79bf1f33e62e58745a67a8cbb775d98998f7ca0924

SHA512
645f0becc9482fa5eb6f8119228b0190151a0f8c7c6486c9f4e0474557c176351ede26f5cb6d62bc415abcb5709730a47ffe43d24f4d7755b93421061d0a5402

Download Submit
memory/856-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2236-21-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2236-22-0x00000000051D0000-0x0000000005260000-memory.dmp

Filesize
576KB

Download
memory/2236-18-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2236-1-0x0000000001050000-0x00000000010E6000-memory.dmp

Filesize
600KB

Download
memory/2236-20-0x0000000005130000-0x00000000051CA000-memory.dmp

Filesize
616KB

Download
memory/2236-0-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/2236-2-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2236-34-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-3-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-23-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-24-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-33-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-31-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-29-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-38-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-50-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/2940-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-44-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads