hawkeye | c0def001b11e3cb4334ab13f6d2ada8a259cbc8fb4932324e2aea9a839aa9c29 | Triage

Sharing

General

Target

de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118
Size

553KB
Sample

240913-l7djraxdpj
MD5

de2f31f3883c0e84e6c4e1c2aebde801
SHA1

676d34caa52a4dec4829d724c4a1ccd889f91ff3
SHA256

c0def001b11e3cb4334ab13f6d2ada8a259cbc8fb4932324e2aea9a839aa9c29
SHA512

932d7baf385698ae48cdca85291392f4e7a8bc4bbfb6f53eed504fa6292b5ae79d90e61f08cc1b37c2dd75233bb4ba03fa373a90b08c7d29ef42dc598f831d48
SSDEEP

12288:QPxe0gF2s4XmJOHwUqKSCEL/+NV1oYsjogyAWRdTTBnSB6:AY0gUiAQCdEToOY3gtWRdH0B

Score

10^/10

hawkeye latentbot discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

latentbot

C2

dcomete70353.zapto.org

1dcomete70353.zapto.org

2dcomete70353.zapto.org

3dcomete70353.zapto.org

4dcomete70353.zapto.org

5dcomete70353.zapto.org

6dcomete70353.zapto.org

7dcomete70353.zapto.org

8dcomete70353.zapto.org

Targets

- Target
  
  de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118
- Size
  
  553KB
- MD5
  
  de2f31f3883c0e84e6c4e1c2aebde801
- SHA1
  
  676d34caa52a4dec4829d724c4a1ccd889f91ff3
- SHA256
  
  c0def001b11e3cb4334ab13f6d2ada8a259cbc8fb4932324e2aea9a839aa9c29
- SHA512
  
  932d7baf385698ae48cdca85291392f4e7a8bc4bbfb6f53eed504fa6292b5ae79d90e61f08cc1b37c2dd75233bb4ba03fa373a90b08c7d29ef42dc598f831d48
- SSDEEP
  
  12288:QPxe0gF2s4XmJOHwUqKSCEL/+NV1oYsjogyAWRdTTBnSB6:AY0gUiAQCdEToOY3gtWRdH0B
Score

10^/10

hawkeye latentbot discovery evasion keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies firewall policy service
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyelatentbotdiscoveryevasionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyelatentbotdiscoveryevasionkeyloggerpersistencespywarestealertrojan