hawkeye | b5e5a10f1938311fb83b7c8a9ad59977e12734f4f61361afa83dd49d6ca377d3

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
Size

151KB
MD5

de823ba5d67de8682e6d7b8b472dbbcb
SHA1

5a6c8a94f16906bfce04a892b40aaa5470fdaeb6
SHA256

b5e5a10f1938311fb83b7c8a9ad59977e12734f4f61361afa83dd49d6ca377d3
SHA512

5659e3c4d7e3af18cf06f3c0a05272deef6b169be2b3c2979f7ab69fc90120877d3e52b508a8e24949e6622e428fc82396a42fb30ec7d5ff0bc8733d034649de
SSDEEP

3072:6OfDkDkZ8w0HS4FjEoVrS3VOqiRrXbvJOykW1Ly4d:f7voBFIZIbvJOmLy

Score

10^/10

hawkeye discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exeexplorer.exeigfpers.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	igfpers.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid	Process
2752	explorer.exe

Executes dropped EXE 5 IoCs

Processes:

explorer.exeexplorer.exeigfpers.exesqlserver.exesqlserver.exe

pid	Process
2752	explorer.exe
2780	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
1176	sqlserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

igfpers.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA User Experience Driver Component = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\igfpers.exe"	igfpers.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exesqlserver.exe

description	pid	Process	procid_target
PID 2752 set thread context of 2780	2752	explorer.exe	87
PID 3100 set thread context of 1176	3100	sqlserver.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exeigfpers.exesqlserver.exesqlserver.exede823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfpers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqlserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqlserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeigfpers.exesqlserver.exe

pid	Process
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe
3216	igfpers.exe
3100	sqlserver.exe
2752	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exeexplorer.exeigfpers.exesqlserver.exe

description	pid	Process
Token: SeDebugPrivilege	4604	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
Token: SeDebugPrivilege	2752	explorer.exe
Token: SeDebugPrivilege	3216	igfpers.exe
Token: SeDebugPrivilege	3100	sqlserver.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exeexplorer.exeigfpers.exesqlserver.exe

description	pid	Process	procid_target
PID 4604 wrote to memory of 2752	4604	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe	86
PID 4604 wrote to memory of 2752	4604	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe	86
PID 4604 wrote to memory of 2752	4604	de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe	86
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 2780	2752	explorer.exe	87
PID 2752 wrote to memory of 3216	2752	explorer.exe	88
PID 2752 wrote to memory of 3216	2752	explorer.exe	88
PID 2752 wrote to memory of 3216	2752	explorer.exe	88
PID 3216 wrote to memory of 3100	3216	igfpers.exe	91
PID 3216 wrote to memory of 3100	3216	igfpers.exe	91
PID 3216 wrote to memory of 3100	3216	igfpers.exe	91
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92
PID 3100 wrote to memory of 1176	3100	sqlserver.exe	92

C:\Users\Admin\AppData\Local\Temp\de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de823ba5d67de8682e6d7b8b472dbbcb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe
    "C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe
      "C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\sqlserver.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
ea846671907529a26e8abc1c0d21a0db

SHA1
d1806ffc2a76ae376be4bf50a4f47f7be50236b4

SHA256
abd0678a8c14916abffb49ced1ad71f05b4c1b81e74d36a8c59f7732ccf66a86

SHA512
a63eb92717db5153755b6c4682d03ca10b27c29e1ba98b7b70b0bea099a7d5d153c0c940ea9465aa2c9c497a43ea550947723a36d86ae07d87dc0f86cb793af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\igfpers.exe

Filesize
36KB

MD5
3947d1ec4b3921ee45dc615cdb41289a

SHA1
050df6cda2476da1f7f1594985b6add5ccf51d02

SHA256
c1facc2d77e87d8210e74029e639b05dd7482aa2b1eb2e7cc7699ec45aa96b71

SHA512
03313943fe821fbf5b099a9fa329f9f2fce8489bb48084c40ac852fa20e9d685aeaad26888e88791f66f477ac04dc0db318344eed7c81b7062cddb2f497bc333

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
151KB

MD5
de823ba5d67de8682e6d7b8b472dbbcb

SHA1
5a6c8a94f16906bfce04a892b40aaa5470fdaeb6

SHA256
b5e5a10f1938311fb83b7c8a9ad59977e12734f4f61361afa83dd49d6ca377d3

SHA512
5659e3c4d7e3af18cf06f3c0a05272deef6b169be2b3c2979f7ab69fc90120877d3e52b508a8e24949e6622e428fc82396a42fb30ec7d5ff0bc8733d034649de

Download Submit
memory/2752-16-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2752-15-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2752-14-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2752-41-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2780-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2780-24-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2780-25-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2780-42-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/4604-0-0x00000000751E2000-0x00000000751E3000-memory.dmp

Filesize
4KB

Download
memory/4604-13-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/4604-2-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/4604-1-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download