Overview

overview

10

Static

static

9

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_96a04a25f64190576a7fde27403cc3e58f6a4bdbcd7f90b644b3bc6de36ecd6b

  • Size

    284KB

  • Sample

    241225-w9whfsspgp

  • MD5

    257e54173644c4bdccba1b3cacee6f25

  • SHA1

    33896fc53577f0e5d8cac1781df250998d5e3d89

  • SHA256

    96a04a25f64190576a7fde27403cc3e58f6a4bdbcd7f90b644b3bc6de36ecd6b

  • SHA512

    7a9462eb99d207475928f195d222caadb82791e8bac557e4e98f10620b681d155620302eb3418814eae36315088ec02f3a298cc16d11c8b86eedefd3a039906c

  • SSDEEP

    6144:WFx/PyIiauzo1VGbbsGRpcRfbeDBzrOwINyYWp/hKJdJln:WFx6do1Vmp0RfaDtgyYWp/hKJ1

Score
10/10
hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      client.bin

    • Size

      521KB

    • MD5

      2578480b80b3aa3ddbec90695c375eae

    • SHA1

      022e141419de6a895b75e3cd4bc549a049f661ee

    • SHA256

      e8107c2899dbe1bda257098d3ec2a561babb52d7d201a43fd3f3a8580cab728f

    • SHA512

      7040fba6260b3ef7b132d596c954be19f8c15a60c90f7ab8fddf0d7b4a07a29874b81d92f7fcc23c6364c37bf27d71d650b331db5b2a06daf7e5c9acff4cda85

    • SSDEEP

      6144:7utqVhunhbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxH:7unhQtqB5urTIoYWBQk1E+VF9mOx9ki

    Score
    10/10
    hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Hawkeye family

      hawkeye

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks