hawkeye | 34d3f55ffdc1abad9f4a882abb9905d512a7132707bc4ceeb9741e393bd7a302

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe
Size

6.3MB
MD5

656dca17a0dd4cbac571d0f17eab50e6
SHA1

f78ef8e57c18b3723eb01ccc3fffee26b12f79ec
SHA256

34d3f55ffdc1abad9f4a882abb9905d512a7132707bc4ceeb9741e393bd7a302
SHA512

cdc72a30eca297a0b5d581bd7252764b6ccb9c31de2cde157433dd77ba3e698ea0f55a99b906eaa56f15d0fff0127f6662f5b956d6e0e13083f13ac7f1d18bfb
SSDEEP

98304:A3hhztB6UWnIqRlBZi1UcD96OcsGWRbT4hd+7ogxhTnjDs0vE8Cr:ARPB5WIqRZi1HDWshbUhO3TnjDpvEH

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exeexplorer.exetoskhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	toskhost.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid	Process
2472	explorer.exe

Executes dropped EXE 3 IoCs

Processes:

explorer.exetoskhost.exeMapCmdRun.exe

pid	Process
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

toskhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\toskhost.exe"	toskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exetoskhost.exeMapCmdRun.exe

pid	Process
2472	explorer.exe
3332	toskhost.exe
2472	explorer.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe
2472	explorer.exe
3332	toskhost.exe
4420	MapCmdRun.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exeexplorer.exetoskhost.exeMapCmdRun.exe

description	pid	Process
Token: SeDebugPrivilege	1648	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe
Token: SeDebugPrivilege	2472	explorer.exe
Token: SeDebugPrivilege	3332	toskhost.exe
Token: SeDebugPrivilege	4420	MapCmdRun.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exeexplorer.exetoskhost.exeMapCmdRun.exe

description	pid	Process	procid_target
PID 1648 wrote to memory of 2472	1648	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe	86
PID 1648 wrote to memory of 2472	1648	656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe	86
PID 2472 wrote to memory of 4528	2472	explorer.exe	88
PID 2472 wrote to memory of 4528	2472	explorer.exe	88
PID 2472 wrote to memory of 3332	2472	explorer.exe	89
PID 2472 wrote to memory of 3332	2472	explorer.exe	89
PID 2472 wrote to memory of 3332	2472	explorer.exe	89
PID 3332 wrote to memory of 4420	3332	toskhost.exe	90
PID 3332 wrote to memory of 4420	3332	toskhost.exe	90
PID 4420 wrote to memory of 2232	4420	MapCmdRun.exe	91
PID 4420 wrote to memory of 2232	4420	MapCmdRun.exe	91

C:\Users\Admin\AppData\Local\Temp\656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\656dca17a0dd4cbac571d0f17eab50e6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    PID:4528
- - C:\Users\Admin\AppData\Local\Temp\System\toskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\System\toskhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
      "C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
        5⤵
        
        PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
f3ae620c4d52b5a6043ed741c4d5d9a8

SHA1
7cb1ffe4163c87ac5c224be6d6991417b920ea7b

SHA256
b3b4a40dd692f30453e0ff0a877b520e30546fd8b0b35113124a521bf82a4276

SHA512
b4974141607ccd8c4bb7cf50036e9dfee7f30b8a9eb3324c0ef687d8687f02c60020f33a001482be83d7da6c8f84af100fd440442a7e19ac087045d317cb4a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\toskhost.exe

Filesize
20KB

MD5
88daff5cd1b0bc926ed2ffb429eeed19

SHA1
35d382bd9ceccdc9bbce628e83d699193bb6971c

SHA256
d2fb0a3ce7f4415cbb0b6d2b1ebad11c927d41035ed0e7a851f79fd653759c69

SHA512
e9c2e4aadd1450dd6eecf6c9bf31221bee6be7840881323b837c5a3479891e6831608771fec76e880f43bffb1936724ed299ffd02eb5f73644424233ae74c6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
6.3MB

MD5
656dca17a0dd4cbac571d0f17eab50e6

SHA1
f78ef8e57c18b3723eb01ccc3fffee26b12f79ec

SHA256
34d3f55ffdc1abad9f4a882abb9905d512a7132707bc4ceeb9741e393bd7a302

SHA512
cdc72a30eca297a0b5d581bd7252764b6ccb9c31de2cde157433dd77ba3e698ea0f55a99b906eaa56f15d0fff0127f6662f5b956d6e0e13083f13ac7f1d18bfb

Download Submit
memory/1648-1-0x000000001B740000-0x000000001B7E6000-memory.dmp

Filesize
664KB

Download
memory/1648-2-0x00007FFF03D10000-0x00007FFF046B1000-memory.dmp

Filesize
9.6MB

Download
memory/1648-3-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/1648-4-0x00007FFF03D10000-0x00007FFF046B1000-memory.dmp

Filesize
9.6MB

Download
memory/1648-0-0x00007FFF03FC5000-0x00007FFF03FC6000-memory.dmp

Filesize
4KB

Download
memory/1648-16-0x00007FFF03D10000-0x00007FFF046B1000-memory.dmp

Filesize
9.6MB

Download
memory/2472-15-0x00007FFF03D10000-0x00007FFF046B1000-memory.dmp

Filesize
9.6MB

Download
memory/2472-18-0x00007FFF03D10000-0x00007FFF046B1000-memory.dmp

Filesize
9.6MB

Download
memory/2472-17-0x00007FFF03D10000-0x00007FFF046B1000-memory.dmp

Filesize
9.6MB

Download
memory/2472-38-0x00007FFF03D10000-0x00007FFF046B1000-memory.dmp

Filesize
9.6MB

Download
memory/3332-34-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/3332-39-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download