hawkeye | 86a825dc2b72314a5db4885e495db0ed61044e3ed8e00cbe7dc05c706b66be5b

General

Target

91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe
Size

192KB
MD5

91884f1ac121d9e5ded8bdef85da6052
SHA1

e92c5ef867200ce2afe6d2ef3d2515375c25a8f7
SHA256

86a825dc2b72314a5db4885e495db0ed61044e3ed8e00cbe7dc05c706b66be5b
SHA512

62c19263d2dcd265610957176bb0794e071837b6b1c2e6922afd29c097fcfe210657627739b3e3e1c8409b0a8afb6b647e6d246eb276c10e0d1531293551311d
SSDEEP

3072:gej6QTDgiEIDL5ntDnj/rlIudpB8gkgqXEoqGxT5AH:g8hvg8DL5ntb7hBkgXoZxT5K

Score

10^/10

hawkeye credential_access keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
78951asd

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

3528 Windows Update.exe

Drops startup file 2 IoCs

Processes:

Windows Update.exe

description	ioc	process
File created	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	Windows Update.exe
File opened for modification	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	Windows Update.exe

Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

3528 Windows Update.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Update.exe

pid	process
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe
3528	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 3528 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

3528 Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	3528	Windows Update.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe

description	pid	process	target process
PID 3252 wrote to memory of 3528	3252	91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe	Windows Update.exe
PID 3252 wrote to memory of 3528	3252	91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe	Windows Update.exe

C:\Users\Admin\AppData\Local\Temp\91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Roaming\Windows Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
007f02e79bb52ccf5f6fdf35a0daeeb3

SHA1
ab4948bf44ebbe20a5b6b1aceaec10e770b4b75a

SHA256
90c00b8890e07b8c0018615d071054177566933769fcebb2c267870f710cc6c1

SHA512
e666780b772935b54a6707eede2d97f6008d2653c1c105e654ae268417679108c02b755354577bab9b40377fd5e61af25796ab0f81cafd2af5556bb256d28f6d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
192KB

MD5
91884f1ac121d9e5ded8bdef85da6052

SHA1
e92c5ef867200ce2afe6d2ef3d2515375c25a8f7

SHA256
86a825dc2b72314a5db4885e495db0ed61044e3ed8e00cbe7dc05c706b66be5b

SHA512
62c19263d2dcd265610957176bb0794e071837b6b1c2e6922afd29c097fcfe210657627739b3e3e1c8409b0a8afb6b647e6d246eb276c10e0d1531293551311d

Download Submit
memory/3252-1-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3252-4-0x000000001BE00000-0x000000001BEA6000-memory.dmp

Filesize
664KB

Download
memory/3252-0-0x00007FFE7EF45000-0x00007FFE7EF46000-memory.dmp

Filesize
4KB

Download
memory/3252-3-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3252-18-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3252-2-0x000000001B790000-0x000000001BC5E000-memory.dmp

Filesize
4.8MB

Download
memory/3528-19-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3528-29-0x000000001DDC0000-0x000000001DE0C000-memory.dmp

Filesize
304KB

Download
memory/3528-20-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3528-26-0x000000001D9D0000-0x000000001DA6C000-memory.dmp

Filesize
624KB

Download
memory/3528-27-0x000000001D870000-0x000000001D892000-memory.dmp

Filesize
136KB

Download
memory/3528-23-0x000000001D1B0000-0x000000001D212000-memory.dmp

Filesize
392KB

Download
memory/3528-28-0x000000001DE40000-0x000000001DE48000-memory.dmp

Filesize
32KB

Download
memory/3528-21-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3528-30-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3528-31-0x0000000020B50000-0x0000000020E5E000-memory.dmp

Filesize
3.1MB

Download
memory/3528-33-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3528-34-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3528-35-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/3528-36-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads