hawkeye_reborn | 4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
Size

791KB
MD5

bb9949c1dd3457d699def7fd8ac2eb9a
SHA1

119f207f2c27cc412fb5df582b7f69ea556f518a
SHA256

4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069
SHA512

ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a
SSDEEP

24576:CI9GDt49nG7Z0q3IvjbWA11OMKMenC2Ovc+:CdtCnIq4snrvbeSE

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
[email protected]
Password:
CONNECT2018

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2740-15-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp	MailPassView
behavioral2/memory/5016-31-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5016-32-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5016-34-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp	WebBrowserPassView
behavioral2/memory/2324-22-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2324-23-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2324-29-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp	Nirsoft
behavioral2/memory/2324-22-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2324-23-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2324-29-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/5016-31-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5016-32-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5016-34-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	start.exe
2740	start.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\start.exe -boot"	start.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 2740	1940	start.exe	107
PID 2740 set thread context of 2324	2740	start.exe	108
PID 2740 set thread context of 5016	2740	start.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
1940	start.exe
1940	start.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2324	vbc.exe
2740	start.exe
2740	start.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
Token: SeDebugPrivilege	1940	start.exe
Token: SeDebugPrivilege	2740	start.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	start.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4144	372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe	94
PID 372 wrote to memory of 4144	372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe	94
PID 372 wrote to memory of 4144	372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe	94
PID 372 wrote to memory of 1248	372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe	100
PID 372 wrote to memory of 1248	372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe	100
PID 372 wrote to memory of 1248	372	bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe	100
PID 1916 wrote to memory of 1940	1916	explorer.exe	103
PID 1916 wrote to memory of 1940	1916	explorer.exe	103
PID 1916 wrote to memory of 1940	1916	explorer.exe	103
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 1940 wrote to memory of 2740	1940	start.exe	107
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 2324	2740	start.exe	108
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109
PID 2740 wrote to memory of 5016	2740	start.exe	109

C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\bb9949c1dd3457d699def7fd8ac2eb9a_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\start.exe"
  2⤵
  PID:4144
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\start.exe"
  2⤵
  PID:1248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\start.exe
  "C:\Users\Admin\AppData\Local\start.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\start.exe
    "C:\Users\Admin\AppData\Local\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2324
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp263C.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\start.exe.log

Filesize
706B

MD5
2ef5ef69dadb8865b3d5b58c956077b8

SHA1
af2d869bac00685c745652bbd8b3fe82829a8998

SHA256
363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

SHA512
66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp

Filesize
4KB

MD5
10fa8ec140c204486092fb161e567ec7

SHA1
4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473

SHA256
7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04

SHA512
9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

Download Submit
C:\Users\Admin\AppData\Local\start.exe

Filesize
791KB

MD5
bb9949c1dd3457d699def7fd8ac2eb9a

SHA1
119f207f2c27cc412fb5df582b7f69ea556f518a

SHA256
4aa65a171e00328be3622ca78be90936249a792e68313ebeeeec846d49e64069

SHA512
ac3e1eaf741ce7f4f39c4daa92b5e3a9ab1b4ef94a4a725e20ed2630d405498b8b05924eada676aea218a92a41caf1400e368d54b6be38debb32d1498f11460a

Download Submit
memory/372-6-0x0000000007D40000-0x0000000007D76000-memory.dmp

Filesize
216KB

Download
memory/372-1-0x0000000000CF0000-0x0000000000DBE000-memory.dmp

Filesize
824KB

Download
memory/372-5-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/372-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/372-7-0x0000000007D70000-0x0000000007D76000-memory.dmp

Filesize
24KB

Download
memory/372-11-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/372-3-0x00000000082F0000-0x0000000008894000-memory.dmp

Filesize
5.6MB

Download
memory/372-4-0x0000000007DE0000-0x0000000007E72000-memory.dmp

Filesize
584KB

Download
memory/372-2-0x0000000007C40000-0x0000000007D36000-memory.dmp

Filesize
984KB

Download
memory/1940-14-0x00000000052A0000-0x000000000533C000-memory.dmp

Filesize
624KB

Download
memory/2324-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2324-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2324-28-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/2324-29-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2740-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2740-19-0x00000000059A0000-0x0000000005A16000-memory.dmp

Filesize
472KB

Download
memory/2740-20-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/2740-35-0x00000000068E0000-0x00000000068EA000-memory.dmp

Filesize
40KB

Download
memory/5016-31-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5016-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5016-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download