hawkeye | 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_06914834645d9ab3058300de4c756954.exe
Size

410KB
MD5

06914834645d9ab3058300de4c756954
SHA1

437546390ab6be7ab887e82148ba8b923bedd844
SHA256

50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
SHA512

08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953
SSDEEP

12288:3w06cUYTczdkibnD3WUgFooE3cVkO3rHGa6vSoW1:7TUHkibDGencVnHq6f

Score

10^/10

hawkeye discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Deletes itself 1 IoCs

pid	Process
768	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe

Loads dropped DLL 5 IoCs

pid	Process
1924	JaffaCakes118_06914834645d9ab3058300de4c756954.exe
1924	JaffaCakes118_06914834645d9ab3058300de4c756954.exe
768	explorer.exe
2480	lsn.exe
2480	lsn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsn.exe"	lsn.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 768 set thread context of 2756	768	explorer.exe	31
PID 1624 set thread context of 2672	1624	spolsv.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_06914834645d9ab3058300de4c756954.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe
2480	lsn.exe
1624	spolsv.exe
768	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	JaffaCakes118_06914834645d9ab3058300de4c756954.exe
Token: SeDebugPrivilege	768	explorer.exe
Token: SeDebugPrivilege	2480	lsn.exe
Token: SeDebugPrivilege	1624	spolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 768	1924	JaffaCakes118_06914834645d9ab3058300de4c756954.exe	30
PID 1924 wrote to memory of 768	1924	JaffaCakes118_06914834645d9ab3058300de4c756954.exe	30
PID 1924 wrote to memory of 768	1924	JaffaCakes118_06914834645d9ab3058300de4c756954.exe	30
PID 1924 wrote to memory of 768	1924	JaffaCakes118_06914834645d9ab3058300de4c756954.exe	30
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2756	768	explorer.exe	31
PID 768 wrote to memory of 2480	768	explorer.exe	32
PID 768 wrote to memory of 2480	768	explorer.exe	32
PID 768 wrote to memory of 2480	768	explorer.exe	32
PID 768 wrote to memory of 2480	768	explorer.exe	32
PID 2480 wrote to memory of 1624	2480	lsn.exe	33
PID 2480 wrote to memory of 1624	2480	lsn.exe	33
PID 2480 wrote to memory of 1624	2480	lsn.exe	33
PID 2480 wrote to memory of 1624	2480	lsn.exe	33
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34
PID 1624 wrote to memory of 2672	1624	spolsv.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06914834645d9ab3058300de4c756954.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06914834645d9ab3058300de4c756954.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
    "C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
      "C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
6e8c2c8c4e49f8d104356cff088a5491

SHA1
962fa8a51addc7f581ffe9ab66cf1ebe174a4a90

SHA256
9dac9fa055888685ffb7c7b3415b6aa66ccc59b2a366e422f2ddbdb021dd86b5

SHA512
3ea36ae8d9a39565180ccadb27e1dfacda0138565335cd6eecbc393a88ac42dbf98ebff45170c771d2fe5a5db56c07926906da62f61e17be545fa52bec5cf8fb

Download Submit
\Users\Admin\AppData\Local\Temp\System\lsn.exe

Filesize
24KB

MD5
0aa7e4dd12b1fc4d899bb86b0fd56233

SHA1
3bbd901ecc48959847deb145da3f3af6dc194afd

SHA256
d1267fc8e53b1cb8cda98eec93daf21ded66ba6ac9c05b0b7315444d459384e9

SHA512
2f2cd1892ab79a9dba46d1c1d848cd85ec876968b07316ccbda275b88960dc1718da7e4d433c88d0a52d2637bb5c99eda1135529f956e4a54c14f09bbc3f8e11

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
410KB

MD5
06914834645d9ab3058300de4c756954

SHA1
437546390ab6be7ab887e82148ba8b923bedd844

SHA256
50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

SHA512
08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953

Download Submit
memory/768-15-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/768-16-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/768-17-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/768-70-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-0-0x0000000074841000-0x0000000074842000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-2-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-14-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-40-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-31-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-38-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-37-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-36-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-33-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-42-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-27-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-44-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-43-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-24-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download