hawkeye_reborn | 5e1c47b5cc6816b687126c26231578083c1b3ee2541836b58bb01452592adb5f

General

Target

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe
Size

2.1MB
MD5

f7835d63004df191a84914a8bbf7caaa
SHA1

68eb4d98ac8b80ffae1874ebc72b2315f172b6e9
SHA256

5e1c47b5cc6816b687126c26231578083c1b3ee2541836b58bb01452592adb5f
SHA512

abe31479e2d64faa0f328a11abdd388f0172e0e2b22eae6e74f15f90332c7ac4ca19012330d301fa8bf6f7cc6ee554d6a7026ffcc2c591129ef93c47d3187f84
SSDEEP

24576:/AHnh+eWsN3skA4RV1Hom2KXMmHa3O+KHeAsUPVjvJ3ad6P9uQETtB7DX0iK5:ih+ZkldoPK8Ya3NZtY

Score

10^/10

hawkeye_reborn m00nd3v_logger collection discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.coniketransport.com
Port:
26
Username:
[email protected]
Password:
goodyear@2019

Mutex

90882945-8989-48e8-bd21-21066212c105

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:goodyear@2019 _EmailPort:26 _EmailSSL:false _EmailServer:mail.coniketransport.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:280 _MeltFile:false _Mutex:90882945-8989-48e8-bd21-21066212c105 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/1108-15-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1108-17-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1108-18-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1108-24-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4012-26-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4012-27-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4012-29-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/5056-2-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4012-26-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4012-27-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4012-29-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1108-15-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/1108-17-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/1108-18-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/1108-24-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IEChooser.url	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 bot.whatismyipaddress.com

flow	ioc
39	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 764 set thread context of 5056	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	RegAsm.exe
PID 5056 set thread context of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 set thread context of 4012	5056	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exeRegAsm.execmd.exePING.EXEvbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2172 cmd.exe
1432 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1432 PING.EXE

pid	process
2172	cmd.exe
1432	PING.EXE

pid	process
1432	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

vbc.exeRegAsm.exe

pid	process
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
1108	vbc.exe
5056	RegAsm.exe
5056	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 5056 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	5056	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

pid	process
764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe
764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe
764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

pid	process
764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe
764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe
764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

5056 RegAsm.exe

pid	process
5056	RegAsm.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.execmd.exeRegAsm.exe

description	pid	process	target process
PID 764 wrote to memory of 5056	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	RegAsm.exe
PID 764 wrote to memory of 5056	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	RegAsm.exe
PID 764 wrote to memory of 5056	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	RegAsm.exe
PID 764 wrote to memory of 5056	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	RegAsm.exe
PID 764 wrote to memory of 5056	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	RegAsm.exe
PID 764 wrote to memory of 2172	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	cmd.exe
PID 764 wrote to memory of 2172	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	cmd.exe
PID 764 wrote to memory of 2172	764	f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe	cmd.exe
PID 2172 wrote to memory of 1432	2172	cmd.exe	PING.EXE
PID 2172 wrote to memory of 1432	2172	cmd.exe	PING.EXE
PID 2172 wrote to memory of 1432	2172	cmd.exe	PING.EXE
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 1108	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe
PID 5056 wrote to memory of 4012	5056	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC6AB.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCAB3.tmp"
3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\f7835d63004df191a84914a8bbf7caaa_JaffaCakes118.exe & exit
2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -t 0
3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC6AB.tmp
Filesize
4KB

MD5
faaa2b16df1bfc1a3792faaa35786349

SHA1
359534a59d7c5139ae205c24533ba60afdfb9f3f

SHA256
3586befc3b8b4da223e2ee0dcb00965ba5c0a205c14f2acefdeec7e46efddd5a

SHA512
2fbc79cace52a58e69ab983d034bb41ebb2496f767e18e5e4b31eefc4447c935d8614f744c71302e459350a05562fadc4c2355d76638b595e7cff1bb3d1618db

Download Submit
memory/764-0-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/1108-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1108-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1108-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1108-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4012-29-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4012-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4012-26-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5056-7-0x0000000073AB0000-0x0000000074061000-memory.dmp

Filesize
5.7MB

Download
memory/5056-13-0x0000000073AB0000-0x0000000074061000-memory.dmp

Filesize
5.7MB

Download
memory/5056-12-0x0000000073AB2000-0x0000000073AB3000-memory.dmp

Filesize
4KB

Download
memory/5056-8-0x0000000073AB0000-0x0000000074061000-memory.dmp

Filesize
5.7MB

Download
memory/5056-6-0x0000000073AB2000-0x0000000073AB3000-memory.dmp

Filesize
4KB

Download
memory/5056-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads