hawkeye_reborn | e3feac95bcecabe4ecf24bd863e9342ab2ae51378ab6fb97830bf2d9e9ea0267

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe
Size

1.9MB
MD5

cddc1af47e645f25c0e9e99d57a035e3
SHA1

493a0bc9269ad8df16869a70a37e4ad1009f11d7
SHA256

e3feac95bcecabe4ecf24bd863e9342ab2ae51378ab6fb97830bf2d9e9ea0267
SHA512

4a3729b62202c1397cb22fc92d136df74931f250089ccd9195ecbff886000ccda4707aef6861591738df956ce31539b34de6566b7c9d518f116ca0f246ade8af
SSDEEP

24576:xOmF4yfY/vwq+mI5URjYubjGYRHqS+km45biPPQuqZ+k4v6P7g8uEG1t8oFfsJ5b:

Score

10^/10

hawkeye_reborn m00nd3v_logger collection credential_access discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
nj-s5.dedicatedpanel.net
Port:
587
Username:
[email protected]
Password:
Zaher@56070

Protocol: ftp
Host:
ftp.cnvester.com
Port:
21
Username:
[email protected]
Password:
dionis@56070

Mutex

e4e84dc6-9121-4ccd-a4e3-ae62eb6992f5

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Zaher@56070 _EmailPort:587 _EmailSSL:true _EmailServer:nj-s5.dedicatedpanel.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPassword:dionis@56070 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.cnvester.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:180 _MeltFile:false _Mutex:e4e84dc6-9121-4ccd-a4e3-ae62eb6992f5 _PanelSecret:67b6ee75-2800-354b-75e7-981c629e3001 _PanelURL:vanneil.ru/ _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 8 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3488-74-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3488-73-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3488-71-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3488-79-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3312-83-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3312-87-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3312-84-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3312-81-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/3912-62-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral2/memory/5108-59-0x0000000005450000-0x00000000054E0000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3312-83-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3312-87-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3312-84-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3312-81-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3488-74-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3488-73-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3488-71-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3488-79-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.url	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 3912 set thread context of 3488	3912	RegAsm.exe	95
PID 3912 set thread context of 3312	3912	RegAsm.exe	96

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3488	vbc.exe
3912	RegAsm.exe
3912	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe
Token: SeDebugPrivilege	3912	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3912	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 5108 wrote to memory of 3912	5108	cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe	87
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3488	3912	RegAsm.exe	95
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96
PID 3912 wrote to memory of 3312	3912	RegAsm.exe	96

C:\Users\Admin\AppData\Local\Temp\cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cddc1af47e645f25c0e9e99d57a035e3_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD6C8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3488
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDAD0.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD6C8.tmp

Filesize
4KB

MD5
16f4f7c4051f4bbdaa93a1ca80690065

SHA1
750cacbdd2d089a88119374560d6ac004954e90e

SHA256
6c4559e4413cccaeab73cad48ffd804506c95566e4d6a3f5ae64017a33ea6ec2

SHA512
cb0f68d393ad03a5c802a2978ff7b12e20911bac5e27200c2df16d5d3f63dfc2387c0cd1a9075d8e4ba9ae804a6b61225575e2f42b3ef024e863d5b172417964

Download Submit
memory/3312-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3312-84-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3312-85-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3312-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3312-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3488-79-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3488-74-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3488-73-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3488-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3912-65-0x0000000071760000-0x0000000071D11000-memory.dmp

Filesize
5.7MB

Download
memory/3912-67-0x0000000071760000-0x0000000071D11000-memory.dmp

Filesize
5.7MB

Download
memory/3912-64-0x0000000071762000-0x0000000071763000-memory.dmp

Filesize
4KB

Download
memory/3912-68-0x0000000071760000-0x0000000071D11000-memory.dmp

Filesize
5.7MB

Download
memory/3912-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3912-69-0x0000000071762000-0x0000000071763000-memory.dmp

Filesize
4KB

Download
memory/5108-28-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-54-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-46-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-42-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-40-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-38-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-36-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-34-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-32-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-30-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/5108-24-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-22-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-20-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-16-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-14-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-12-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-48-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-10-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-44-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-8-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-7-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-26-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-18-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-50-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-52-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-56-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-58-0x00000000053F0000-0x000000000540F000-memory.dmp

Filesize
124KB

Download
memory/5108-59-0x0000000005450000-0x00000000054E0000-memory.dmp

Filesize
576KB

Download
memory/5108-66-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5108-61-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5108-60-0x00000000055F0000-0x000000000568C000-memory.dmp

Filesize
624KB

Download
memory/5108-3-0x00000000053F0000-0x0000000005416000-memory.dmp

Filesize
152KB

Download
memory/5108-4-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5108-2-0x0000000005340000-0x00000000053F4000-memory.dmp

Filesize
720KB

Download
memory/5108-1-0x00000000008A0000-0x0000000000A88000-memory.dmp

Filesize
1.9MB

Download