hawkeye | b5e5a10f1938311fb83b7c8a9ad59977e12734f4f61361afa83dd49d6ca377d3

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
Size

151KB
MD5

de823ba5d67de8682e6d7b8b472dbbcb
SHA1

5a6c8a94f16906bfce04a892b40aaa5470fdaeb6
SHA256

b5e5a10f1938311fb83b7c8a9ad59977e12734f4f61361afa83dd49d6ca377d3
SHA512

5659e3c4d7e3af18cf06f3c0a05272deef6b169be2b3c2979f7ab69fc90120877d3e52b508a8e24949e6622e428fc82396a42fb30ec7d5ff0bc8733d034649de
SSDEEP

3072:6OfDkDkZ8w0HS4FjEoVrS3VOqiRrXbvJOykW1Ly4d:f7voBFIZIbvJOmLy

Score

10^/10

hawkeye discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Deletes itself 1 IoCs

pid	Process
2816	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2816	explorer.exe
2688	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2920	sqlserver.exe

Loads dropped DLL 7 IoCs

pid	Process
2660	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
2660	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
2816	explorer.exe
2816	explorer.exe
2832	igfpers.exe
2832	igfpers.exe
2908	sqlserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA User Experience Driver Component = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\igfpers.exe"	igfpers.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 2688	2816	explorer.exe	31
PID 2908 set thread context of 2920	2908	sqlserver.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqlserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfpers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqlserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe
2832	igfpers.exe
2908	sqlserver.exe
2816	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
Token: SeDebugPrivilege	2816	explorer.exe
Token: SeDebugPrivilege	2832	igfpers.exe
Token: SeDebugPrivilege	2908	sqlserver.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2816	2660	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2816	2660	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2816	2660	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2816	2660	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe	30
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2688	2816	explorer.exe	31
PID 2816 wrote to memory of 2832	2816	explorer.exe	32
PID 2816 wrote to memory of 2832	2816	explorer.exe	32
PID 2816 wrote to memory of 2832	2816	explorer.exe	32
PID 2816 wrote to memory of 2832	2816	explorer.exe	32
PID 2832 wrote to memory of 2908	2832	igfpers.exe	33
PID 2832 wrote to memory of 2908	2832	igfpers.exe	33
PID 2832 wrote to memory of 2908	2832	igfpers.exe	33
PID 2832 wrote to memory of 2908	2832	igfpers.exe	33
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34
PID 2908 wrote to memory of 2920	2908	sqlserver.exe	34

C:\Users\Admin\AppData\Local\Temp\de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe
    "C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe
      "C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
ea846671907529a26e8abc1c0d21a0db

SHA1
d1806ffc2a76ae376be4bf50a4f47f7be50236b4

SHA256
abd0678a8c14916abffb49ced1ad71f05b4c1b81e74d36a8c59f7732ccf66a86

SHA512
a63eb92717db5153755b6c4682d03ca10b27c29e1ba98b7b70b0bea099a7d5d153c0c940ea9465aa2c9c497a43ea550947723a36d86ae07d87dc0f86cb793af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe

Filesize
36KB

MD5
3947d1ec4b3921ee45dc615cdb41289a

SHA1
050df6cda2476da1f7f1594985b6add5ccf51d02

SHA256
c1facc2d77e87d8210e74029e639b05dd7482aa2b1eb2e7cc7699ec45aa96b71

SHA512
03313943fe821fbf5b099a9fa329f9f2fce8489bb48084c40ac852fa20e9d685aeaad26888e88791f66f477ac04dc0db318344eed7c81b7062cddb2f497bc333

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
151KB

MD5
de823ba5d67de8682e6d7b8b472dbbcb

SHA1
5a6c8a94f16906bfce04a892b40aaa5470fdaeb6

SHA256
b5e5a10f1938311fb83b7c8a9ad59977e12734f4f61361afa83dd49d6ca377d3

SHA512
5659e3c4d7e3af18cf06f3c0a05272deef6b169be2b3c2979f7ab69fc90120877d3e52b508a8e24949e6622e428fc82396a42fb30ec7d5ff0bc8733d034649de

Download Submit
memory/2660-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2660-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2660-14-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2660-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2688-26-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-37-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-69-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-28-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-40-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-15-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-16-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-68-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2920-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download