hawkeye_reborn | 6d4075cae42df68f5e06799b799c60ecfccff4794277c67b00bc9009b3faf1e4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2024, 04:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
Size

949KB
MD5

f7978d432d1f4d99ad24568643704f88
SHA1

fd86eb0f4a592d6be7200191aaa705592a4f631f
SHA256

6d4075cae42df68f5e06799b799c60ecfccff4794277c67b00bc9009b3faf1e4
SHA512

3ff3ba2b4c8e6cc282ff79255ec228386e48dc5f7d45208ba30a338992e46a1e72afc7d3f96d1b61ac4cbdbb8687f646cfdb95394873135386ca4f7dab38305b
SSDEEP

12288:knWwI/AJjDTKTCGlZBBx1Vtl9Hx2hsAuyLdyrUNzYweqNoCoOL2VjA05e/hMXRY6:kWwZxKGon31Vtl3OsnWbu4plkPcYxG

Score

10^/10

hawkeye_reborn m00nd3v_logger agilenet discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp	Nirsoft

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2468-10-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp	WebBrowserPassView

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4196-6-0x0000000004C50000-0x0000000004C6A000-memory.dmp	agile_net

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4196 set thread context of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89
PID 4196 wrote to memory of 2468	4196	f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2468

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

bot.whatismyipaddress.com

f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

bot.whatismyipaddress.com

IN A

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

52.111.229.43:443

322 B
7

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

bot.whatismyipaddress.com

dns

f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe

71 B
130 B
1
1

DNS Request

bot.whatismyipaddress.com
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f7978d432d1f4d99ad24568643704f88_JaffaCakes118.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/2468-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2468-20-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2468-17-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/2468-16-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2468-14-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2468-13-0x0000000007600000-0x0000000007676000-memory.dmp

Filesize
472KB

Download
memory/2468-11-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4196-4-0x00000000049E0000-0x00000000049EA000-memory.dmp

Filesize
40KB

Download
memory/4196-9-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4196-8-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4196-7-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/4196-6-0x0000000004C50000-0x0000000004C6A000-memory.dmp

Filesize
104KB

Download
memory/4196-5-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4196-15-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4196-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4196-3-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/4196-2-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/4196-1-0x0000000000080000-0x0000000000174000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.