hawkeye | 34d3f55ffdc1abad9f4a882abb9905d512a7132707bc4ceeb9741e393bd7a302

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe
Size

6.3MB
MD5

656dca17a0dd4cbac571d0f17eab50e6
SHA1

f78ef8e57c18b3723eb01ccc3fffee26b12f79ec
SHA256

34d3f55ffdc1abad9f4a882abb9905d512a7132707bc4ceeb9741e393bd7a302
SHA512

cdc72a30eca297a0b5d581bd7252764b6ccb9c31de2cde157433dd77ba3e698ea0f55a99b906eaa56f15d0fff0127f6662f5b956d6e0e13083f13ac7f1d18bfb
SSDEEP

98304:A3hhztB6UWnIqRlBZi1UcD96OcsGWRbT4hd+7ogxhTnjDs0vE8Cr:ARPB5WIqRZi1HDWshbUhO3TnjDpvEH

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Deletes itself 1 IoCs

Processes:

explorer.exe

pid	Process
2696	explorer.exe

Executes dropped EXE 3 IoCs

Processes:

explorer.exetoskhost.exeMapCmdRun.exe

pid	Process
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe

Loads dropped DLL 2 IoCs

Processes:

toskhost.exe

pid	Process
2828	toskhost.exe
2828	toskhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

toskhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\toskhost.exe"	toskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exetoskhost.exeMapCmdRun.exe

pid	Process
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe
2828	toskhost.exe
2620	MapCmdRun.exe
2696	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exeexplorer.exetoskhost.exeMapCmdRun.exe

description	pid	Process
Token: SeDebugPrivilege	1956	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe
Token: SeDebugPrivilege	2696	explorer.exe
Token: SeDebugPrivilege	2828	toskhost.exe
Token: SeDebugPrivilege	2620	MapCmdRun.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exeexplorer.exetoskhost.exeMapCmdRun.exe

description	pid	Process	procid_target
PID 1956 wrote to memory of 2696	1956	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2696	1956	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2696	1956	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2340	2696	explorer.exe	31
PID 2696 wrote to memory of 2340	2696	explorer.exe	31
PID 2696 wrote to memory of 2340	2696	explorer.exe	31
PID 2696 wrote to memory of 2828	2696	explorer.exe	32
PID 2696 wrote to memory of 2828	2696	explorer.exe	32
PID 2696 wrote to memory of 2828	2696	explorer.exe	32
PID 2696 wrote to memory of 2828	2696	explorer.exe	32
PID 2828 wrote to memory of 2620	2828	toskhost.exe	33
PID 2828 wrote to memory of 2620	2828	toskhost.exe	33
PID 2828 wrote to memory of 2620	2828	toskhost.exe	33
PID 2828 wrote to memory of 2620	2828	toskhost.exe	33
PID 2620 wrote to memory of 2220	2620	MapCmdRun.exe	34
PID 2620 wrote to memory of 2220	2620	MapCmdRun.exe	34
PID 2620 wrote to memory of 2220	2620	MapCmdRun.exe	34

C:\Users\Admin\AppData\Local\Temp\656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\System\toskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\System\toskhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
      "C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
        5⤵
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
f3ae620c4d52b5a6043ed741c4d5d9a8

SHA1
7cb1ffe4163c87ac5c224be6d6991417b920ea7b

SHA256
b3b4a40dd692f30453e0ff0a877b520e30546fd8b0b35113124a521bf82a4276

SHA512
b4974141607ccd8c4bb7cf50036e9dfee7f30b8a9eb3324c0ef687d8687f02c60020f33a001482be83d7da6c8f84af100fd440442a7e19ac087045d317cb4a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\toskhost.exe

Filesize
20KB

MD5
88daff5cd1b0bc926ed2ffb429eeed19

SHA1
35d382bd9ceccdc9bbce628e83d699193bb6971c

SHA256
d2fb0a3ce7f4415cbb0b6d2b1ebad11c927d41035ed0e7a851f79fd653759c69

SHA512
e9c2e4aadd1450dd6eecf6c9bf31221bee6be7840881323b837c5a3479891e6831608771fec76e880f43bffb1936724ed299ffd02eb5f73644424233ae74c6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
6.3MB

MD5
656dca17a0dd4cbac571d0f17eab50e6

SHA1
f78ef8e57c18b3723eb01ccc3fffee26b12f79ec

SHA256
34d3f55ffdc1abad9f4a882abb9905d512a7132707bc4ceeb9741e393bd7a302

SHA512
cdc72a30eca297a0b5d581bd7252764b6ccb9c31de2cde157433dd77ba3e698ea0f55a99b906eaa56f15d0fff0127f6662f5b956d6e0e13083f13ac7f1d18bfb

Download Submit
memory/1956-1-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/1956-2-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/1956-3-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/1956-12-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/1956-0-0x000007FEF5CDE000-0x000007FEF5CDF000-memory.dmp

Filesize
4KB

Download
memory/2696-15-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/2696-16-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/2696-13-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/2696-14-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/2696-32-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download