hawkeye | 159d09cdbd90e5ce221f9ca7fd30646268cb2521d4279d707b346602b0eda59d | Triage

Submit
Reports

Overview

overview

Static

static

3

4defc86e25...18.exe

windows7-x64

4defc86e25...18.exe

windows10-2004-x64

Sharing

General

Target

4defc86e258d002b2c01eda4822d6331_JaffaCakes118
Size

683KB
Sample

240716-mmy6dsyarr
MD5

4defc86e258d002b2c01eda4822d6331
SHA1

b6aa5ccd6722d8c7c55536854438e4de9d713bf5
SHA256

159d09cdbd90e5ce221f9ca7fd30646268cb2521d4279d707b346602b0eda59d
SHA512

699b6f4435c77aeab071dd151bb5b38f5e34384022f31d75904b009900113f4cc26f66bfda28f7540293fac7715bd21d985bb72294875fa3ee3886123008ecce
SSDEEP

12288:4Szm0W4DTPa1RzO3Wmb++3k8O/l9EUJceUKdi3HIn7Ai+/TbMRTYIc:4Km0WEPa3O3WER3zi9cMEXTb5I

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4defc86e258d002b2c01eda4822d6331_JaffaCakes118.exe

Resource

win7-20240704-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

4defc86e258d002b2c01eda4822d6331_JaffaCakes118.exe

Resource

win10v2004-20240709-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
yellow147

Targets

- Target
  
  4defc86e258d002b2c01eda4822d6331_JaffaCakes118
- Size
  
  683KB
- MD5
  
  4defc86e258d002b2c01eda4822d6331
- SHA1
  
  b6aa5ccd6722d8c7c55536854438e4de9d713bf5
- SHA256
  
  159d09cdbd90e5ce221f9ca7fd30646268cb2521d4279d707b346602b0eda59d
- SHA512
  
  699b6f4435c77aeab071dd151bb5b38f5e34384022f31d75904b009900113f4cc26f66bfda28f7540293fac7715bd21d985bb72294875fa3ee3886123008ecce
- SSDEEP
  
  12288:4Szm0W4DTPa1RzO3Wmb++3k8O/l9EUJceUKdi3HIn7Ai+/TbMRTYIc:4Km0WEPa3O3WER3zi9cMEXTb5I
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy