hawkeye | afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
Size

92KB
MD5

39701f5c18d18cd690f7ded4f1ea958e
SHA1

982abd7a3c93c48536917a958fc97252f5e225e1
SHA256

afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
SHA512

cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
SSDEEP

1536:sEUQjlDAMOcnNFCEcK3gGrvOAoY7ld0ckN3wTr3iAkHyy+dOrrrrrr:sVulMMlXE+g41jkNyTr

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	mvscavAP.exe

Deletes itself 1 IoCs

pid	Process
760	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 4464	760	explorer.exe	87
PID 664 set thread context of 2436	664	SiaPort.exe	90

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1232	reg.exe
2700	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe
3520	mvscavAP.exe
664	SiaPort.exe
760	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
Token: SeDebugPrivilege	760	explorer.exe
Token: SeDebugPrivilege	3520	mvscavAP.exe
Token: SeDebugPrivilege	664	SiaPort.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4464	AppLaunch.exe
2436	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 760	116	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe	86
PID 116 wrote to memory of 760	116	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe	86
PID 116 wrote to memory of 760	116	39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe	86
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 4464	760	explorer.exe	87
PID 760 wrote to memory of 3520	760	explorer.exe	88
PID 760 wrote to memory of 3520	760	explorer.exe	88
PID 760 wrote to memory of 3520	760	explorer.exe	88
PID 3520 wrote to memory of 664	3520	mvscavAP.exe	89
PID 3520 wrote to memory of 664	3520	mvscavAP.exe	89
PID 3520 wrote to memory of 664	3520	mvscavAP.exe	89
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 664 wrote to memory of 2436	664	SiaPort.exe	90
PID 4464 wrote to memory of 1232	4464	AppLaunch.exe	91
PID 4464 wrote to memory of 1232	4464	AppLaunch.exe	91
PID 4464 wrote to memory of 1232	4464	AppLaunch.exe	91
PID 2436 wrote to memory of 2700	2436	AppLaunch.exe	93
PID 2436 wrote to memory of 2700	2436	AppLaunch.exe	93
PID 2436 wrote to memory of 2700	2436	AppLaunch.exe	93

C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - UAC bypass
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\SysWOW64\reg.exe
      reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1232
- - C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
    "C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
      "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        UAC bypass
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
f12133d461ae93607418ef1c0d1ff5eb

SHA1
ff555c4a7875ac2375a5ed2fa8b29982b1b2dc61

SHA256
ed2685597be7038bd55083c086f9da96b9aec167241405baad6929474a1de5d1

SHA512
498f51923dddfe79c96e2b0fbdd8f6deafa47a4f169d669952a22634c4693e6e760ca5beb234a25c870948f9a5de3b60bb13f79f40715ddf971ad5ac26021fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe

Filesize
7KB

MD5
1e065c8186d7d23b9fad718e030ad963

SHA1
ed1f41e4d34ed3321eb9dfbc6ac82b322de0c904

SHA256
45c1f790d9b856ccc02aa6be9f1102734fd9df534f6cea3b905de0698caedfdb

SHA512
feef86acf449371102d4bf7a3b6aa50ebafff01d4f23c9bf24f69e35faf92956f205d8c8ea082d615e62b680ed1038dfda6e4e099707be45c2b7bdf32bffbc23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
92KB

MD5
39701f5c18d18cd690f7ded4f1ea958e

SHA1
982abd7a3c93c48536917a958fc97252f5e225e1

SHA256
afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

SHA512
cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff

Download Submit
memory/116-1-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/116-2-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/116-13-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/116-0-0x00000000747E2000-0x00000000747E3000-memory.dmp

Filesize
4KB

Download
memory/760-15-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/760-14-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/760-48-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/3520-36-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/3520-49-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/4464-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4464-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download