hawkeye | 12713502769c1cce9066f51d07785fb6913fde025de0c0e3d1ff811533e94607

General

Target

07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe
Size

219KB
MD5

07e9516a2597243e200c0553201b2eae
SHA1

8fe3f50a429f86609901ced70b010a0922c75135
SHA256

12713502769c1cce9066f51d07785fb6913fde025de0c0e3d1ff811533e94607
SHA512

88f284296c7002d2ffe534189ae0a291d5131052ce43bccabdd0b8f0e8f1db379efd2c5a20e4159aa7e1b64e02e9a9780dcafb480a316776ea68b442763502f6
SSDEEP

6144:AcWMJJhqryYP/XaabDSViEtnCGmmoohGrCQe+ACC:AczJJhqrVP/TUiEkGmbrPe+ACC

Score

10^/10

hawkeye discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupdate.bat	cmd.exe
File opened for modification	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupdate.bat	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

windowsupdate.exewinupdate.exe

pid process

4732 windowsupdate.exe
3832 winupdate.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4732	windowsupdate.exe
3832	winupdate.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

07e9516a2597243e200c0553201b2eae_JaffaCakes118.execmd.exemspaint.exewindowsupdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mspaint.exe

pid process

4540 mspaint.exe
4540 mspaint.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

winupdate.exe

description pid process

Token: SeDebugPrivilege 3832 winupdate.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mspaint.exe

pid process

4540 mspaint.exe
4540 mspaint.exe
4540 mspaint.exe
4540 mspaint.exe

pid	process
4540	mspaint.exe
4540	mspaint.exe

description	pid	process
Token: SeDebugPrivilege	3832	winupdate.exe

pid	process
4540	mspaint.exe
4540	mspaint.exe
4540	mspaint.exe
4540	mspaint.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

07e9516a2597243e200c0553201b2eae_JaffaCakes118.execmd.exewindowsupdate.exe

description	pid	process	target process
PID 4808 wrote to memory of 920	4808	07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe	cmd.exe
PID 4808 wrote to memory of 920	4808	07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe	cmd.exe
PID 4808 wrote to memory of 920	4808	07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe	cmd.exe
PID 920 wrote to memory of 4540	920	cmd.exe	mspaint.exe
PID 920 wrote to memory of 4540	920	cmd.exe	mspaint.exe
PID 920 wrote to memory of 4540	920	cmd.exe	mspaint.exe
PID 920 wrote to memory of 4732	920	cmd.exe	windowsupdate.exe
PID 920 wrote to memory of 4732	920	cmd.exe	windowsupdate.exe
PID 920 wrote to memory of 4732	920	cmd.exe	windowsupdate.exe
PID 4732 wrote to memory of 3832	4732	windowsupdate.exe	winupdate.exe
PID 4732 wrote to memory of 3832	4732	windowsupdate.exe	winupdate.exe

C:\Users\Admin\AppData\Local\Temp\07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07e9516a2597243e200c0553201b2eae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\copy.bat" "
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\mspaint.exe
    mspaint "C:\Users\Admin\AppData\Roaming\sania.jpg"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4540
- - C:\Users\Admin\AppData\Roaming\windowsupdate.exe
    "C:\Users\Admin\AppData\Roaming\windowsupdate.exe" /NOCONSOLE /SILENT /D="C:\Users\Admin\AppData\Roaming" "C:\Users\Admin\AppData\Roaming\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Roaming\winupdate.exe
      C:\Users\Admin\AppData\Roaming\winupdate.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\copy.bat

Filesize
402B

MD5
1c4846dfa06a9f282fda895db02f66a9

SHA1
6848f266f091d242fb44e91034f8f65e27f68776

SHA256
197229091168028700dd500c19a03914cf11fb56cec18e2eac8ee5a307cc46f4

SHA512
f383596189240c6d96f256798e15f78d0bc25abdeef5326d4655933edafb88c3c7fad4cccd1ec8952ec155eb9e98160a4cf1245d0ca4a9528b2385904873b5bc

Download Submit
C:\Users\Admin\AppData\Roaming\sania.jpg

Filesize
34KB

MD5
7eb2e492c5cd0a0472996e607cc697bc

SHA1
3a9b0002fdcd962c2fdb8aebb684f040655d7566

SHA256
70065deb283322525c0f165bae05a3c8b7e55caf636057afbc0ea01a1d283495

SHA512
fe7e66a4d880ed8998a775aeec5fe31e1733d2459d19bff2214046159a13170eddcf1ae58115a589bb41e7cbaaf80b5a4c5d7a50424eb05ecde6a52b03925a7e

Download Submit
C:\Users\Admin\AppData\Roaming\windowsupdate.exe

Filesize
104KB

MD5
2614f5513a98857b82a9a5fab3d35834

SHA1
dce751fd7946a5ca2da4773df9e8c4ca1ea120a0

SHA256
7a07f4eb5cffd63504629414ece45527198948e2acdf3466b2c4ff3b113dec42

SHA512
c148f96355c6e2f4f86f5ea6b7b2eedc226c84ae6856d8f8661f5eb4f81a407eb402505a5ea050fa125520fce3d63157dfe5a436d8f4fde2b65b37e5217550f7

Download Submit
C:\Users\Admin\AppData\Roaming\winupdate.bat

Filesize
102B

MD5
ed38a8802b66da594534c7f208d3588b

SHA1
175115334eb8567a948f41220ca6c0dbbfc9bbc5

SHA256
5f2b2e6b4415989ab5325e4b1ccb3c50929acfe795dbc07196c14e2bed0f3151

SHA512
025a0232099b27373829ee08021ef0f14d0af7b5d60e8b3c1eb20fc06db13376a7b9db066c41c44541d7716d2a7ee88b0ce0d12be4cd5263c4697062676d601c

Download Submit
C:\Users\Admin\AppData\Roaming\winupdate.exe

Filesize
11KB

MD5
beacb8ce99ec4221bb9d87e1d08f40b0

SHA1
db69e2f7038ff160cc507e4abd23ac07e083f83f

SHA256
5254d8b8bbc0e6a4c594ae2644c1e220b3dd314401b64e7c7ccb32379d73c7b2

SHA512
1766d1780c556540f2574fc5552705fad126627bd7dd3b4d7c0d11486d8ce88d22727a52d93e87e2bdd2d67298a06d89166118f56dcde6b61283892581a73e35

Download Submit
memory/3832-33-0x000000001AF70000-0x000000001AFD2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads