hawkeye_reborn | 9452d4be264c5593bef4704be62d993a14eeb2114287815afbc6d580742ec27e

General

Target

b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe
Size

715KB
MD5

b99cee8603eb58c97143d9575136f761
SHA1

b8493cee69910b95b3f96f74bbc7a4f8d58bb641
SHA256

9452d4be264c5593bef4704be62d993a14eeb2114287815afbc6d580742ec27e
SHA512

a675810935be4c20da12e6fbbd34c1a25bb2bdc977710a4d322f4514422e776c0c41b234f28a7cca81586dd9e3d1405e84170bde5a3efd31925b40c2a4a7c76a
SSDEEP

12288:tiEkrrgWLqwj5+SSBcvCJ69d9K511Ed+ovcQOjuQ6xN9kw0Uf:tiDrrZOwjM7C3+ovcQOKQqNyw0U

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 5 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/2532-13-0x0000000000260000-0x00000000002F0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2532-15-0x0000000000260000-0x00000000002F0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2532-20-0x0000000000260000-0x00000000002F0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2532-27-0x0000000000260000-0x00000000002F0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2532-25-0x0000000000260000-0x00000000002F0000-memory.dmp	m00nd3v_logger

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

START.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe"	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	START.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe"	START.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	START.exe

Executes dropped EXE 2 IoCs

Processes:

START.exeSTART.exe

pid process

2764 START.exe
2532 START.exe

pid	process
2764	START.exe
2532	START.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

START.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application = "C:\\Users\\Admin\\AppData\\Roaming\\START.exe -boot"	START.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

START.exe

description pid process target process

PID 2764 set thread context of 2532 2764 START.exe START.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b99cee8603eb58c97143d9575136f761_JaffaCakes118.exeSTART.exe

pid process

2932 b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe
2764 START.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b99cee8603eb58c97143d9575136f761_JaffaCakes118.exeSTART.exe

description pid process

Token: SeDebugPrivilege 2932 b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe
Token: SeDebugPrivilege 2764 START.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 2764 set thread context of 2532	2764	START.exe	START.exe

pid	process
2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe
2764	START.exe

description	pid	process
Token: SeDebugPrivilege	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe
Token: SeDebugPrivilege	2764	START.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

b99cee8603eb58c97143d9575136f761_JaffaCakes118.exeexplorer.exeSTART.exe

description	pid	process	target process
PID 2932 wrote to memory of 2696	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	cmd.exe
PID 2932 wrote to memory of 2696	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	cmd.exe
PID 2932 wrote to memory of 2696	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	cmd.exe
PID 2932 wrote to memory of 2696	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	cmd.exe
PID 2932 wrote to memory of 2748	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	explorer.exe
PID 2932 wrote to memory of 2748	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	explorer.exe
PID 2932 wrote to memory of 2748	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	explorer.exe
PID 2932 wrote to memory of 2748	2932	b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe	explorer.exe
PID 2464 wrote to memory of 2764	2464	explorer.exe	START.exe
PID 2464 wrote to memory of 2764	2464	explorer.exe	START.exe
PID 2464 wrote to memory of 2764	2464	explorer.exe	START.exe
PID 2464 wrote to memory of 2764	2464	explorer.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe
PID 2764 wrote to memory of 2532	2764	START.exe	START.exe

C:\Users\Admin\AppData\Local\Temp\b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b99cee8603eb58c97143d9575136f761_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\START.exe"
  2⤵
  PID:2696
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\START.exe"
  2⤵
  PID:2748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Roaming\START.exe
  "C:\Users\Admin\AppData\Roaming\START.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\START.exe
    "C:\Users\Admin\AppData\Roaming\START.exe"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\START.exe

Filesize
715KB

MD5
b99cee8603eb58c97143d9575136f761

SHA1
b8493cee69910b95b3f96f74bbc7a4f8d58bb641

SHA256
9452d4be264c5593bef4704be62d993a14eeb2114287815afbc6d580742ec27e

SHA512
a675810935be4c20da12e6fbbd34c1a25bb2bdc977710a4d322f4514422e776c0c41b234f28a7cca81586dd9e3d1405e84170bde5a3efd31925b40c2a4a7c76a

Download Submit
memory/2532-15-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download
memory/2532-9-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download
memory/2532-11-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download
memory/2532-13-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download
memory/2532-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-20-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download
memory/2532-27-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download
memory/2532-25-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download
memory/2932-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-3-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-6-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads