hawkeye | 9f1f28be4c21032cba96c553adf0b3b0874020bbc3caf7da31be41df464aa5cf

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe
Size

169KB
MD5

74e5ed5269a7436d2c634d718dd0a36a
SHA1

9f96d79d44fd3d5e62345bb112c35b5653775379
SHA256

9f1f28be4c21032cba96c553adf0b3b0874020bbc3caf7da31be41df464aa5cf
SHA512

cd2f3ff28b49a0faded600390f03ec61845f943cfb2b1b231e3dbab441107a34bd8a824de2a080e9249c609a653268c4c057f084ba63273cd439e89e9d3e69b0
SSDEEP

3072:FXKqLsn1Qbx8JQiKpZHekPD0qBxc9XOLWEqtaYGnPxENBbealADWCUgC61:F2SbxmQiuH7PD0qBxuXOCiYOPxENBK5D

Score

10^/10

hawkeye discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

audioadg.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audioadg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe"	audioadg.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exeexplorer.exeexplorer.exeWmiprwsd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Wmiprwsd.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid	Process
4908	explorer.exe

Executes dropped EXE 8 IoCs

Processes:

explorer.exeexplorer.exeaudioadg.exeWmiprwsd.exeWmiprwsd.exeTemp.exeTemp.exeTemp.exe

pid	Process
4908	explorer.exe
184	explorer.exe
3924	audioadg.exe
4376	Wmiprwsd.exe
220	Wmiprwsd.exe
3132	Temp.exe
4964	Temp.exe
3156	Temp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

audioadg.exeTemp.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe"	audioadg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Temp.exe"	Temp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

explorer.exeWmiprwsd.exeTemp.exe

description	pid	Process	procid_target
PID 4908 set thread context of 184	4908	explorer.exe	88
PID 4376 set thread context of 220	4376	Wmiprwsd.exe	91
PID 3132 set thread context of 4964	3132	Temp.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Temp.exeTemp.exe74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exeexplorer.exeaudioadg.exeWmiprwsd.exeWmiprwsd.exeexplorer.exeTemp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audioadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmiprwsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmiprwsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp.exe

Modifies registry class 2 IoCs

Processes:

explorer.exeWmiprwsd.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Wmiprwsd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeaudioadg.exeWmiprwsd.exeTemp.exeTemp.exe

pid	Process
4908	explorer.exe
3924	audioadg.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3924	audioadg.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3924	audioadg.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3924	audioadg.exe
3132	Temp.exe
3156	Temp.exe
4908	explorer.exe
4376	Wmiprwsd.exe
3924	audioadg.exe
3132	Temp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exeexplorer.exeaudioadg.exeWmiprwsd.exeTemp.exeTemp.exe

description	pid	Process
Token: SeDebugPrivilege	948	74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe
Token: SeDebugPrivilege	4908	explorer.exe
Token: SeDebugPrivilege	3924	audioadg.exe
Token: SeDebugPrivilege	4376	Wmiprwsd.exe
Token: SeDebugPrivilege	3132	Temp.exe
Token: SeDebugPrivilege	3156	Temp.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exeexplorer.exeaudioadg.exeWmiprwsd.exeexplorer.exeTemp.exeWmiprwsd.exeTemp.exe

description	pid	Process	procid_target
PID 948 wrote to memory of 4908	948	74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe	87
PID 948 wrote to memory of 4908	948	74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe	87
PID 948 wrote to memory of 4908	948	74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe	87
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 184	4908	explorer.exe	88
PID 4908 wrote to memory of 3924	4908	explorer.exe	89
PID 4908 wrote to memory of 3924	4908	explorer.exe	89
PID 4908 wrote to memory of 3924	4908	explorer.exe	89
PID 3924 wrote to memory of 4376	3924	audioadg.exe	90
PID 3924 wrote to memory of 4376	3924	audioadg.exe	90
PID 3924 wrote to memory of 4376	3924	audioadg.exe	90
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 4376 wrote to memory of 220	4376	Wmiprwsd.exe	91
PID 184 wrote to memory of 3132	184	explorer.exe	92
PID 184 wrote to memory of 3132	184	explorer.exe	92
PID 184 wrote to memory of 3132	184	explorer.exe	92
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 3132 wrote to memory of 4964	3132	Temp.exe	93
PID 220 wrote to memory of 3156	220	Wmiprwsd.exe	94
PID 220 wrote to memory of 3156	220	Wmiprwsd.exe	94
PID 220 wrote to memory of 3156	220	Wmiprwsd.exe	94
PID 3156 wrote to memory of 4576	3156	Temp.exe	95
PID 3156 wrote to memory of 4576	3156	Temp.exe	95
PID 3156 wrote to memory of 4576	3156	Temp.exe	95

C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\Documents\explorer.exe
  "C:\Users\Admin\Documents\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\Documents\explorer.exe
    C:\Users\Admin\Documents\explorer.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:184
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4964
- - C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
      C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
        7⤵
        
        PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
55B

MD5
0cb5c42fd26af3137f9b847cdaf6678d

SHA1
abdad38dffdd2aea628f93f2c55c8a958828866a

SHA256
de836f24bdfc49d9ff1edb1b52d2f5e5e19352e43c95e4fb1d8e1691d290d4e1

SHA512
9e17b6a6694855900e5fb20975bdd98e536c9095d36c02ba671cb9cf0850ebe1546f5a35bd175021f687ddd1412985ef105940d88d469b9328a200be1cb35517

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
86B

MD5
f4c1b2ab4c900cbc78cb94aa076b0273

SHA1
3594b28990ed6c519013096d09e2514efebe4710

SHA256
d8ab752eb5e186c5ca9745cd078577ef759a82c93686446eade4edc613dceafa

SHA512
630d89abb641d602eb0dfcab2740d9443f8edd5c72411b517186e699414c44d916e78ebc4f3cccad64f528107ab502b4b469c75f38e868343897f444298edead

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
51B

MD5
2d421d5d27c83a8d80478ccded23873a

SHA1
9849b69bcaed8b6fca38e9fc17e2abbd7df5ca7d

SHA256
6d513e948a16ca79064e0d510b8b92fb6a84434a1b60744567aafec3820cbb26

SHA512
df6e37db8131242d12d07fe36f4190f884babe5ef80d2160bc45918c621e3ce05ddfb2ddf494ff62494f8faf61b9f219c3a89688993c317a7ba5440d84ab3631

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe

Filesize
8KB

MD5
6ac73d462625d27d9f0f599ca1190dea

SHA1
746cbcaf898421e361baa72ac5400d6e5d6ef732

SHA256
fa35e4d655c8d1eefd9d4bacab0f6d932bd061e23c49503af747161248307f0c

SHA512
5789644e331955e2363fd45e45a49bb4266b01ab772d503a8324e4d126ddb2e244297462030a4c63c0088551ef6cac94fa460e4f7ce9f844757afdca4a5d4601

Download Submit
C:\Users\Admin\Documents\explorer.exe

Filesize
169KB

MD5
74e5ed5269a7436d2c634d718dd0a36a

SHA1
9f96d79d44fd3d5e62345bb112c35b5653775379

SHA256
9f1f28be4c21032cba96c553adf0b3b0874020bbc3caf7da31be41df464aa5cf

SHA512
cd2f3ff28b49a0faded600390f03ec61845f943cfb2b1b231e3dbab441107a34bd8a824de2a080e9249c609a653268c4c057f084ba63273cd439e89e9d3e69b0

Download Submit
memory/184-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/184-25-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/184-26-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/948-18-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/948-0-0x0000000075222000-0x0000000075223000-memory.dmp

Filesize
4KB

Download
memory/948-2-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/948-1-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-17-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-21-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-74-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download