hawkeye | afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
Size

92KB
MD5

39701f5c18d18cd690f7ded4f1ea958e
SHA1

982abd7a3c93c48536917a958fc97252f5e225e1
SHA256

afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
SHA512

cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
SSDEEP

1536:sEUQjlDAMOcnNFCEcK3gGrvOAoY7ld0ckN3wTr3iAkHyy+dOrrrrrr:sVulMMlXE+g41jkNyTr

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe

Deletes itself 1 IoCs

pid	Process
2500	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
2092	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
2500	explorer.exe
2500	explorer.exe
2788	mvscavAP.exe
2788	mvscavAP.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 2724	2500	explorer.exe	32
PID 2568 set thread context of 2544	2568	SiaPort.exe	35

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File created	C:\WINDOWS\ctfmon.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1684	reg.exe
1348	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe
2788	mvscavAP.exe
2568	SiaPort.exe
2500	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
Token: SeDebugPrivilege	2500	explorer.exe
Token: SeDebugPrivilege	2788	mvscavAP.exe
Token: SeDebugPrivilege	2568	SiaPort.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	AppLaunch.exe
2544	AppLaunch.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2500	2092	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2500	2092	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2500	2092	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2500	2092	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2724	2500	explorer.exe	32
PID 2500 wrote to memory of 2788	2500	explorer.exe	33
PID 2500 wrote to memory of 2788	2500	explorer.exe	33
PID 2500 wrote to memory of 2788	2500	explorer.exe	33
PID 2500 wrote to memory of 2788	2500	explorer.exe	33
PID 2788 wrote to memory of 2568	2788	mvscavAP.exe	34
PID 2788 wrote to memory of 2568	2788	mvscavAP.exe	34
PID 2788 wrote to memory of 2568	2788	mvscavAP.exe	34
PID 2788 wrote to memory of 2568	2788	mvscavAP.exe	34
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2568 wrote to memory of 2544	2568	SiaPort.exe	35
PID 2724 wrote to memory of 1684	2724	AppLaunch.exe	36
PID 2724 wrote to memory of 1684	2724	AppLaunch.exe	36
PID 2724 wrote to memory of 1684	2724	AppLaunch.exe	36
PID 2724 wrote to memory of 1684	2724	AppLaunch.exe	36
PID 2724 wrote to memory of 1684	2724	AppLaunch.exe	36
PID 2724 wrote to memory of 1684	2724	AppLaunch.exe	36
PID 2724 wrote to memory of 1684	2724	AppLaunch.exe	36
PID 2544 wrote to memory of 1348	2544	AppLaunch.exe	38
PID 2544 wrote to memory of 1348	2544	AppLaunch.exe	38
PID 2544 wrote to memory of 1348	2544	AppLaunch.exe	38
PID 2544 wrote to memory of 1348	2544	AppLaunch.exe	38
PID 2544 wrote to memory of 1348	2544	AppLaunch.exe	38
PID 2544 wrote to memory of 1348	2544	AppLaunch.exe	38
PID 2544 wrote to memory of 1348	2544	AppLaunch.exe	38

C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - UAC bypass
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
    "C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
      "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        UAC bypass
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\reg.exe
        
        reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
f12133d461ae93607418ef1c0d1ff5eb

SHA1
ff555c4a7875ac2375a5ed2fa8b29982b1b2dc61

SHA256
ed2685597be7038bd55083c086f9da96b9aec167241405baad6929474a1de5d1

SHA512
498f51923dddfe79c96e2b0fbdd8f6deafa47a4f169d669952a22634c4693e6e760ca5beb234a25c870948f9a5de3b60bb13f79f40715ddf971ad5ac26021fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe

Filesize
7KB

MD5
1e065c8186d7d23b9fad718e030ad963

SHA1
ed1f41e4d34ed3321eb9dfbc6ac82b322de0c904

SHA256
45c1f790d9b856ccc02aa6be9f1102734fd9df534f6cea3b905de0698caedfdb

SHA512
feef86acf449371102d4bf7a3b6aa50ebafff01d4f23c9bf24f69e35faf92956f205d8c8ea082d615e62b680ed1038dfda6e4e099707be45c2b7bdf32bffbc23

Download Submit
C:\WINDOWS\ctfmon.exe

Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
92KB

MD5
39701f5c18d18cd690f7ded4f1ea958e

SHA1
982abd7a3c93c48536917a958fc97252f5e225e1

SHA256
afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

SHA512
cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff

Download Submit
memory/2092-1-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-2-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-14-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-0-0x0000000074581000-0x0000000074582000-memory.dmp

Filesize
4KB

Download
memory/2500-15-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-16-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-67-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-60-0x0000000000240000-0x0000000000291000-memory.dmp

Filesize
324KB

Download
memory/2724-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2724-35-0x0000000000800000-0x0000000000851000-memory.dmp

Filesize
324KB

Download
memory/2724-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2724-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-32-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2724-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2724-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download