hawkeye | 25a7825a3bb8e1777dcaec1627d0030492091f053d77d660aa026a7e80b0ce0f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe
Size

386KB
MD5

9f255a5fd8e9cbb1e8c2b1c88d436665
SHA1

b1583d74bd8eba91a43de585e4c13fa142441efc
SHA256

25a7825a3bb8e1777dcaec1627d0030492091f053d77d660aa026a7e80b0ce0f
SHA512

fa77764dcffabf9ebd295ddb741de5de8c1d899f20943579eff8c0aab8d3f204a5835e993271b847335ee6188db5bc6e3504c1e9b3b5f5f0c8d6c7aead25e27a
SSDEEP

6144:uptmZ62NlgsWxhFkZpXIGWvDwYNSZZa2TjaFJ7eIbH661cdfFI6u:StmLb2hFko5NS3LTk7pvchu

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2472 explorer.exe
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

2472 explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 2604 9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe
Token: SeDebugPrivilege 2472 explorer.exe

pid	process
2472	explorer.exe

pid	process
2472	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2604	9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe
Token: SeDebugPrivilege	2472	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2604 wrote to memory of 2472	2604	9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe	explorer.exe
PID 2604 wrote to memory of 2472	2604	9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe	explorer.exe
PID 2604 wrote to memory of 2472	2604	9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe	explorer.exe
PID 2472 wrote to memory of 3024	2472	explorer.exe	explorer.exe
PID 2472 wrote to memory of 3024	2472	explorer.exe	explorer.exe
PID 2472 wrote to memory of 3024	2472	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
3a0c056fba2bbf42f9666d4fc3c900b3

SHA1
e56d46d5969470e54228bcc9a6eb4c562aeec6a0

SHA256
360c40d068ab4cda089db1fce7f4225bb915810b21bb9bf9e51b1beb49edfda5

SHA512
8da0bac2aaea0f1a6ac4aebe9c252de96289d3f063a649df2ee774cbaeb961fa4163f0992f26fb620a1758d6d4bd88da20c90ee261f004c71e4a3b8e45f3e689

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
386KB

MD5
9f255a5fd8e9cbb1e8c2b1c88d436665

SHA1
b1583d74bd8eba91a43de585e4c13fa142441efc

SHA256
25a7825a3bb8e1777dcaec1627d0030492091f053d77d660aa026a7e80b0ce0f

SHA512
fa77764dcffabf9ebd295ddb741de5de8c1d899f20943579eff8c0aab8d3f204a5835e993271b847335ee6188db5bc6e3504c1e9b3b5f5f0c8d6c7aead25e27a

Download Submit
memory/2472-12-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2472-13-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-15-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-17-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-0-0x000007FEF65AE000-0x000007FEF65AF000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2604-4-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-11-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download