hawkeye_reborn | 33f05806ab5437e453da7fbf2f5b09ccaf62b98ff22a487167134c728e20102f

General

Target

efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
Size

814KB
MD5

efa8a674ec587daa8b27235d35aa88b4
SHA1

4201655698c49e0d2a3a657c47db0053faf8ea76
SHA256

33f05806ab5437e453da7fbf2f5b09ccaf62b98ff22a487167134c728e20102f
SHA512

f3372a438ad1d9b81f421b17299f7a28e765bf2a82084e7661b10b7496138bf2a9982a58f1c2bd48580b3d37d6107514f9fc4be5a0afe366c95ef672fd1a9c26
SSDEEP

12288:2QhA458jD9Idir4KOHpcLbVprODAU2/3gItbucXDFXrGCjHMqgA3+UOKOQo:vh5gu+7TrODAVgIlugA16EKn

Score

10^/10

hawkeye_reborn m00nd3v_logger discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2208-25-0x0000000004EF0000-0x0000000004F80000-memory.dmp	m00nd3v_logger
behavioral2/memory/3452-27-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.url	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1184	taskkill.exe
852	taskkill.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe
3452	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
Token: SeDebugPrivilege	3452	RegAsm.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3400	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	82
PID 2208 wrote to memory of 3400	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	82
PID 2208 wrote to memory of 3400	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	82
PID 3400 wrote to memory of 4544	3400	csc.exe	84
PID 3400 wrote to memory of 4544	3400	csc.exe	84
PID 3400 wrote to memory of 4544	3400	csc.exe	84
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 2208 wrote to memory of 3452	2208	efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe	85
PID 3452 wrote to memory of 3144	3452	RegAsm.exe	93
PID 3452 wrote to memory of 3144	3452	RegAsm.exe	93
PID 3452 wrote to memory of 3144	3452	RegAsm.exe	93
PID 3452 wrote to memory of 3940	3452	RegAsm.exe	95
PID 3452 wrote to memory of 3940	3452	RegAsm.exe	95
PID 3452 wrote to memory of 3940	3452	RegAsm.exe	95
PID 3144 wrote to memory of 1184	3144	cmd.exe	97
PID 3144 wrote to memory of 1184	3144	cmd.exe	97
PID 3144 wrote to memory of 1184	3144	cmd.exe	97
PID 3940 wrote to memory of 852	3940	cmd.exe	98
PID 3940 wrote to memory of 852	3940	cmd.exe	98
PID 3940 wrote to memory of 852	3940	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efa8a674ec587daa8b27235d35aa88b4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fibg10qx\fibg10qx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83A7.tmp" "c:\Users\Admin\AppData\Local\Temp\fibg10qx\CSC9D0541D984E94A9F97734578FFBF772D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM wscript.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES83A7.tmp

Filesize
1KB

MD5
e07e50a61cdfd8d5276ebffe410d60cd

SHA1
f83d41eb07c191da06fbb651a6b33bb5b8635ec6

SHA256
2d71614208914be94064d60b80253060e3c764501a7e24577fb491d346ca1f6f

SHA512
5899c9b0f3b88b14c394b50e0a3feb6648fa9b45840b918edc83e08ce905eb1136d155a3b701e273a6f05737c7017e56fead810be87a53a54098fbd25e4e1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\fibg10qx\fibg10qx.dll

Filesize
6KB

MD5
c12e6cca6f01ab241877331e11f5af44

SHA1
d1c01af7ab0482309ed6b9ad4a9b047b2b2e7252

SHA256
d9ff77f1f17e1f7ceff25ffc6c1c45aa075aba016971160aa90d73119c2c6ea2

SHA512
d82a9c6f13b2367889719032150b2c0250b8746bc3095fb5ac13d8444cb4d958622329127c0203ddeeb034cf44670455505de6555643c9ec0b30dd065795064b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fibg10qx\fibg10qx.pdb

Filesize
15KB

MD5
6f308de9bbad53dc6e4e00930006883c

SHA1
48140e0ebff10b856a63b6260a596ca2cbfa1e32

SHA256
8940a7253e9d7e777eabc10a79b1d2fb43c248bf5bba8e331374fbf1bf29be5b

SHA512
0440e0a67e94c5e67b87e8ef847592b58967871411ae8fa994a92e0f05e19aee059b8d701df18cc8d9bf083298a86becdbf6fbcd8b40fb825a3490b74690645e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fibg10qx\CSC9D0541D984E94A9F97734578FFBF772D.TMP

Filesize
1KB

MD5
7fa99299091987e5042f8cf8c0eefc4e

SHA1
bd7591da01b5ac188c5b19669af900b560b94b35

SHA256
38d594a2ccdd8048900fecf0d493149d9bf28e7230de46d62c546af2d50a580d

SHA512
c087241644404a3e9b14e3ee032eda4cdf852dcb10110dd9847d93f86f0844fca92411dd339cc81fe573afa6dd960bd37574b617351dbc11e0e623fa88705d18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fibg10qx\fibg10qx.0.cs

Filesize
2KB

MD5
e2873aff0e2899bc8d7490f204d40634

SHA1
213f7b0a51fd21e6187a3829ef3a57e63b4185d0

SHA256
c03e2315d26527eaaee7c4f8c1789044d5925925238c6edb4ca678df49e03133

SHA512
8e02c27be3a13a289ad6f67e450e0f333167fdf4c9b58dace06d56fa6c1531dade593eb09d27e47c6d856febbfac73324ba04dea7f416d0cec77c212c2932e1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fibg10qx\fibg10qx.cmdline

Filesize
312B

MD5
119e1d72b846af4bd55d2e5bb09f1f6c

SHA1
e791a4da5af1c6e6b587820451c44f168b421f90

SHA256
1f4c07ef39b24c4090ff15db8818c80b3f191a3493ce87aff64f55b3d6b2f674

SHA512
2e5f3ab6da6e6d00edb900aee03e9fd284078c50111ed0e21a520d18eb4c0f963331efd54eb1f5a1d26c78cdfe8f068b0ebd1371bfaa4a566e1d6f9dc43d8bab

Download Submit
memory/2208-21-0x0000000004CF0000-0x0000000004D8A000-memory.dmp

Filesize
616KB

Download
memory/2208-26-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/2208-3-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2208-2-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/2208-1-0x00000000000C0000-0x0000000000192000-memory.dmp

Filesize
840KB

Download
memory/2208-19-0x0000000002600000-0x0000000002608000-memory.dmp

Filesize
32KB

Download
memory/2208-0-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/2208-22-0x0000000004B70000-0x0000000004B7C000-memory.dmp

Filesize
48KB

Download
memory/2208-25-0x0000000004EF0000-0x0000000004F80000-memory.dmp

Filesize
576KB

Download
memory/2208-4-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/2208-29-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/3452-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3452-30-0x0000000070D42000-0x0000000070D43000-memory.dmp

Filesize
4KB

Download
memory/3452-31-0x0000000070D40000-0x00000000712F1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-32-0x0000000070D40000-0x00000000712F1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-33-0x0000000070D42000-0x0000000070D43000-memory.dmp

Filesize
4KB

Download
memory/3452-34-0x0000000070D40000-0x00000000712F1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-37-0x0000000070D40000-0x00000000712F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing