hawkeye_reborn | 33f05806ab5437e453da7fbf2f5b09ccaf62b98ff22a487167134c728e20102f

General

Target

efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
Size

814KB
MD5

efa8a674ec587daa8b27235d35aa88b4
SHA1

4201655698c49e0d2a3a657c47db0053faf8ea76
SHA256

33f05806ab5437e453da7fbf2f5b09ccaf62b98ff22a487167134c728e20102f
SHA512

f3372a438ad1d9b81f421b17299f7a28e765bf2a82084e7661b10b7496138bf2a9982a58f1c2bd48580b3d37d6107514f9fc4be5a0afe366c95ef672fd1a9c26
SSDEEP

12288:2QhA458jD9Idir4KOHpcLbVprODAU2/3gItbucXDFXrGCjHMqgA3+UOKOQo:vh5gu+7TrODAVgIlugA16EKn

Score

10^/10

hawkeye_reborn m00nd3v_logger discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1820-24-0x0000000005250000-0x00000000052E0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2940-37-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2940-35-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2940-33-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2940-29-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2940-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.url	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2736	taskkill.exe
2336	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1688	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	28
PID 1820 wrote to memory of 1688	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	28
PID 1820 wrote to memory of 1688	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	28
PID 1820 wrote to memory of 1688	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2216	1688	csc.exe	30
PID 1688 wrote to memory of 2216	1688	csc.exe	30
PID 1688 wrote to memory of 2216	1688	csc.exe	30
PID 1688 wrote to memory of 2216	1688	csc.exe	30
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2940	1820	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfvxwcar\hfvxwcar.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE678.tmp" "c:\Users\Admin\AppData\Local\Temp\hfvxwcar\CSC67ABDD56EB7442CB812B7817AD8E1178.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM wscript.exe
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM wscript.exe
      4⤵
      Kills process with taskkill
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM cmd.exe
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM cmd.exe
      4⤵
      Kills process with taskkill
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE678.tmp

Filesize
1KB

MD5
093a7b7b462486e8358a899aec18b21f

SHA1
71d862e8aba984016936c5f34574351800f7545d

SHA256
41603cd6890e310b7d8bb6b3c0914b8c39a88c833e1efb2b352785de7c0cba2a

SHA512
f29e22f81dc72ca8d818356da6b5bfb1140c9f7e1a37b69f9efa887856c2c27ae9e9865a929d9648df04a52a77511d93179e5a728ecdc50d40d981d18fa22785

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfvxwcar\hfvxwcar.dll

Filesize
6KB

MD5
fe17cd9a7270c64d70d8b2e08905d7cd

SHA1
d6fa489c30838b35992d943ca84ae46d7f13b542

SHA256
379b35afebcc453abbcbe88f2bde7a4e445aa7e960ba5988b68db39f153ab3bd

SHA512
ee11ca827a94a3fc09dbbdcedb9e8b6b311a4926944e79b7ae11b8325879e562f322476c1647d850db2b8baf6cffd22bc43e1f0708d4290efc4c4afa85e398b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfvxwcar\hfvxwcar.pdb

Filesize
15KB

MD5
d7068dbf8ceec9c5c7cb9e185cc2c0d7

SHA1
f78a70d5ca5d0af363e08e2da132e4c0518e6a67

SHA256
070970834dafde0f2267f9568be8c0ec28554aace57e1dfe028a7a05b1c902ec

SHA512
7111cc9589de7083e828959ca8ae1ed6164ae86fa1bbda903d6766ad5b3b9e404e071ec5a6698c7fb5a416c80bfced21a6e63cb910f183bee76daff2ef962719

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfvxwcar\CSC67ABDD56EB7442CB812B7817AD8E1178.TMP

Filesize
1KB

MD5
df87b5a79ae174718dba5df6fd1254a1

SHA1
33a1b33cd287738c474bb2c2e78f04ea2d2936b7

SHA256
33830f3e0b213f33cf2c1cc394ba0224accf5813d2544653350200e5d36542bd

SHA512
b8476f1fc021ed747bf92ee481326144207ba903c22eb0821579a3d1e6774a326a0268a574daf108f36f32277137b772fd6385cecd222f38040fe7dd70282a41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfvxwcar\hfvxwcar.0.cs

Filesize
2KB

MD5
e2873aff0e2899bc8d7490f204d40634

SHA1
213f7b0a51fd21e6187a3829ef3a57e63b4185d0

SHA256
c03e2315d26527eaaee7c4f8c1789044d5925925238c6edb4ca678df49e03133

SHA512
8e02c27be3a13a289ad6f67e450e0f333167fdf4c9b58dace06d56fa6c1531dade593eb09d27e47c6d856febbfac73324ba04dea7f416d0cec77c212c2932e1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfvxwcar\hfvxwcar.cmdline

Filesize
312B

MD5
558d061043bad6cf4c63823a514a2058

SHA1
f066f9690a661bcc0db630aeac30d4d247057863

SHA256
3b8ecca3d3b0065bc77786feca292dca0f28539ba819b16775b8194490975e81

SHA512
f0f9a69eb86aa21096a60471aaf6a788f626f3dbf3718f341eb52af85883e642f6dc2e863c510e50b55e4751cf78cf54adeade811872fea0444a6e716de9f1e3

Download Submit
memory/1820-24-0x0000000005250000-0x00000000052E0000-memory.dmp

Filesize
576KB

Download
memory/1820-1-0x0000000000200000-0x00000000002D2000-memory.dmp

Filesize
840KB

Download
memory/1820-38-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-18-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/1820-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/1820-20-0x00000000051B0000-0x000000000524A000-memory.dmp

Filesize
616KB

Download
memory/1820-21-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/1820-3-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-2-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/2940-33-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2940-35-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2940-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-29-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2940-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2940-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2940-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2940-37-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing