hawkeye | b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb

General

Target

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
Size

168KB
MD5

555d3202e43afce04239e9c03eef07c9
SHA1

36934ac3982e7ff1d42fdf3287892af12cf58304
SHA256

b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb
SHA512

5bf89fd827c330d2b52cee071afa97652837a06cf27feab4a7e66619d5fd32bcc20d3e6354c6aec8c882b01f4c401ce81c55be2d95626a366aa82865cb58390d
SSDEEP

3072:DpcJKeEeYE/NaX3K+QT5S+SEyt0jdJkwCJC2XZZ+38zw0x:SJVEe3DnT5lTygkwCJCqZZ+YwC

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2648 explorer.exe
Executes dropped EXE 3 IoCs

Processes:

explorer.exeadiadg.exewmiapsvrd.exe

pid process

2648 explorer.exe
2772 adiadg.exe
2836 wmiapsvrd.exe

Loads dropped DLL 5 IoCs

Processes:

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exe

pid	process
1292	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
1292	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
2648	explorer.exe
2772	adiadg.exe
2772	adiadg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

adiadg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\adiadg.exe"	adiadg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeadiadg.exewmiapsvrd.exe

pid	process
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe
2772	adiadg.exe
2836	wmiapsvrd.exe
2648	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exewmiapsvrd.exe

description	pid	process
Token: SeDebugPrivilege	1292	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
Token: SeDebugPrivilege	2648	explorer.exe
Token: SeDebugPrivilege	2772	adiadg.exe
Token: SeDebugPrivilege	2836	wmiapsvrd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exe

description	pid	process	target process
PID 1292 wrote to memory of 2648	1292	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe	explorer.exe
PID 1292 wrote to memory of 2648	1292	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe	explorer.exe
PID 1292 wrote to memory of 2648	1292	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe	explorer.exe
PID 1292 wrote to memory of 2648	1292	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe	explorer.exe
PID 2648 wrote to memory of 2772	2648	explorer.exe	adiadg.exe
PID 2648 wrote to memory of 2772	2648	explorer.exe	adiadg.exe
PID 2648 wrote to memory of 2772	2648	explorer.exe	adiadg.exe
PID 2648 wrote to memory of 2772	2648	explorer.exe	adiadg.exe
PID 2772 wrote to memory of 2836	2772	adiadg.exe	wmiapsvrd.exe
PID 2772 wrote to memory of 2836	2772	adiadg.exe	wmiapsvrd.exe
PID 2772 wrote to memory of 2836	2772	adiadg.exe	wmiapsvrd.exe
PID 2772 wrote to memory of 2836	2772	adiadg.exe	wmiapsvrd.exe

C:\Users\Admin\AppData\Local\Temp\555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe
"C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
"C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
60127e21ef3560d27e40b893627cd982

SHA1
37cbe26c435d9860711d2cbb55f87766aa6c1041

SHA256
80f27c853dcc612f36b7ea94259c0f3c733addfe17b268df544396b5dc7160bb

SHA512
189d2ff98f6cd73074ac673f0ce64ddb730475a0f3bab63f46a84c336b7d861b21e35b2ee9ba53ccbbfb6e7f7fa0e61611c771e67fd101edbc76750c061948b2

Download Submit
\Users\Admin\AppData\Local\Temp\System\adiadg.exe

Filesize
19KB

MD5
7557176df708545d6e3bcfe8163b9fac

SHA1
b0611f219736022ded02c0281a40874568c64ebe

SHA256
179b309599d34b6fe68022867e145682eabe751cd0df6930b1ca79e3e48d549e

SHA512
0c405f76c0b2795956e87aff4e4ed5d6addea872cf87098ca8ed892da9cf03e27932f1b3765e191c5b87b6970159dd6dc1498ee02533a454fd3b6faf889b5857

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
168KB

MD5
555d3202e43afce04239e9c03eef07c9

SHA1
36934ac3982e7ff1d42fdf3287892af12cf58304

SHA256
b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb

SHA512
5bf89fd827c330d2b52cee071afa97652837a06cf27feab4a7e66619d5fd32bcc20d3e6354c6aec8c882b01f4c401ce81c55be2d95626a366aa82865cb58390d

Download Submit
memory/1292-0-0x0000000074021000-0x0000000074022000-memory.dmp

Filesize
4KB

Download
memory/1292-1-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-2-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-15-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-14-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-32-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads