hawkeye | b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb

General

Target

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
Size

168KB
MD5

555d3202e43afce04239e9c03eef07c9
SHA1

36934ac3982e7ff1d42fdf3287892af12cf58304
SHA256

b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb
SHA512

5bf89fd827c330d2b52cee071afa97652837a06cf27feab4a7e66619d5fd32bcc20d3e6354c6aec8c882b01f4c401ce81c55be2d95626a366aa82865cb58390d
SSDEEP

3072:DpcJKeEeYE/NaX3K+QT5S+SEyt0jdJkwCJC2XZZ+38zw0x:SJVEe3DnT5lTygkwCJCqZZ+YwC

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	adiadg.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2564 explorer.exe
Executes dropped EXE 3 IoCs

Processes:

explorer.exeadiadg.exewmiapsvrd.exe

pid process

2564 explorer.exe
3528 adiadg.exe
4520 wmiapsvrd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

adiadg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\adiadg.exe"	adiadg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeadiadg.exewmiapsvrd.exe

pid	process
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe
3528	adiadg.exe
4520	wmiapsvrd.exe
2564	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exewmiapsvrd.exe

description	pid	process
Token: SeDebugPrivilege	5096	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
Token: SeDebugPrivilege	2564	explorer.exe
Token: SeDebugPrivilege	3528	adiadg.exe
Token: SeDebugPrivilege	4520	wmiapsvrd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exe

description	pid	process	target process
PID 5096 wrote to memory of 2564	5096	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe	explorer.exe
PID 5096 wrote to memory of 2564	5096	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe	explorer.exe
PID 5096 wrote to memory of 2564	5096	555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe	explorer.exe
PID 2564 wrote to memory of 3528	2564	explorer.exe	adiadg.exe
PID 2564 wrote to memory of 3528	2564	explorer.exe	adiadg.exe
PID 2564 wrote to memory of 3528	2564	explorer.exe	adiadg.exe
PID 3528 wrote to memory of 4520	3528	adiadg.exe	wmiapsvrd.exe
PID 3528 wrote to memory of 4520	3528	adiadg.exe	wmiapsvrd.exe
PID 3528 wrote to memory of 4520	3528	adiadg.exe	wmiapsvrd.exe

C:\Users\Admin\AppData\Local\Temp\555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe
"C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
"C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
60127e21ef3560d27e40b893627cd982

SHA1
37cbe26c435d9860711d2cbb55f87766aa6c1041

SHA256
80f27c853dcc612f36b7ea94259c0f3c733addfe17b268df544396b5dc7160bb

SHA512
189d2ff98f6cd73074ac673f0ce64ddb730475a0f3bab63f46a84c336b7d861b21e35b2ee9ba53ccbbfb6e7f7fa0e61611c771e67fd101edbc76750c061948b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe

Filesize
19KB

MD5
7557176df708545d6e3bcfe8163b9fac

SHA1
b0611f219736022ded02c0281a40874568c64ebe

SHA256
179b309599d34b6fe68022867e145682eabe751cd0df6930b1ca79e3e48d549e

SHA512
0c405f76c0b2795956e87aff4e4ed5d6addea872cf87098ca8ed892da9cf03e27932f1b3765e191c5b87b6970159dd6dc1498ee02533a454fd3b6faf889b5857

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
168KB

MD5
555d3202e43afce04239e9c03eef07c9

SHA1
36934ac3982e7ff1d42fdf3287892af12cf58304

SHA256
b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb

SHA512
5bf89fd827c330d2b52cee071afa97652837a06cf27feab4a7e66619d5fd32bcc20d3e6354c6aec8c882b01f4c401ce81c55be2d95626a366aa82865cb58390d

Download Submit
memory/2564-36-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2564-12-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2564-14-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3528-32-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3528-30-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3528-31-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3528-37-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/5096-13-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/5096-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

Filesize
4KB

Download
memory/5096-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads