hawkeye | c2abd4c787d043e8268b5dff5d3fb1147b3be0a061b15953bf8c7d9a7a9d7054

Analysis

max time kernel
150s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-02-2025 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ccd63ea9dc74839a5488ff48fbb8ccf5.exe
Size

416KB
MD5

ccd63ea9dc74839a5488ff48fbb8ccf5
SHA1

d0aa39de25116388abd875d8e0fb497cebc98e31
SHA256

c2abd4c787d043e8268b5dff5d3fb1147b3be0a061b15953bf8c7d9a7a9d7054
SHA512

2444fa1629a6a40ef6ed256a9f37ac57e3b74260ec8c754b86999fc3c57183df87d6a47e99a29e3aba7b012f1488af7bc09073215db72101b1f9b56f86f7933f
SSDEEP

6144:ZsdwnDc8Yh83U9v57vHfR0i56nqy3d9CaQ4ppFMwJNDreoIJap2:ZsunOf373RHNaQ4ppdJN9IJap2

Score

10^/10

hawkeye discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Deletes itself 1 IoCs

pid	Process
2868	Windows Update.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	Windows Update.exe
File opened for modification	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	Windows Update.exe

Executes dropped EXE 2 IoCs

pid	Process
2868	Windows Update.exe
2780	microsoft.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe
2868	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	Windows Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	Windows Update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2868	3004	JaffaCakes118_ccd63ea9dc74839a5488ff48fbb8ccf5.exe	29
PID 3004 wrote to memory of 2868	3004	JaffaCakes118_ccd63ea9dc74839a5488ff48fbb8ccf5.exe	29
PID 3004 wrote to memory of 2868	3004	JaffaCakes118_ccd63ea9dc74839a5488ff48fbb8ccf5.exe	29
PID 2868 wrote to memory of 2780	2868	Windows Update.exe	31
PID 2868 wrote to memory of 2780	2868	Windows Update.exe	31
PID 2868 wrote to memory of 2780	2868	Windows Update.exe	31
PID 2868 wrote to memory of 2780	2868	Windows Update.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccd63ea9dc74839a5488ff48fbb8ccf5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccd63ea9dc74839a5488ff48fbb8ccf5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\Windows Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\microsoft.exe
    "C:\Users\Admin\AppData\Local\Temp\microsoft.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
47d2246b226ba22103aec28f9b3f3300

SHA1
d29e128c13cf5106133482b13e353da91e798abe

SHA256
b11588072704355802bb22a0896eb1b928a9bc931304f98277abd7c05b4ee954

SHA512
ba61341b9817e827a6feb6f1de710a931f77dda58447d9b1b026b74dbb780bf6f19d3f144ed24368641800f34a9993f956332a89ace6118d6eb5ec7cc43b64f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoft.exe

Filesize
133KB

MD5
3f731c93e016ad8912adb8b3b8c388db

SHA1
9ddbc9cbbd3ef6740e688054963599760b5244bc

SHA256
50625edc99657b49984efa665c692f2f7a88f436715b4d8d7cc654cade857a28

SHA512
11bf56042476032b9ba3584a198c75a8916aa95662c5c67a845407aea599e61658dcad5b0e9515d6c624f7b3bac73a6f82153600265a08bb42059378e4c2c12a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
416KB

MD5
ccd63ea9dc74839a5488ff48fbb8ccf5

SHA1
d0aa39de25116388abd875d8e0fb497cebc98e31

SHA256
c2abd4c787d043e8268b5dff5d3fb1147b3be0a061b15953bf8c7d9a7a9d7054

SHA512
2444fa1629a6a40ef6ed256a9f37ac57e3b74260ec8c754b86999fc3c57183df87d6a47e99a29e3aba7b012f1488af7bc09073215db72101b1f9b56f86f7933f

Download Submit
memory/2868-11-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-13-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-23-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-24-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-25-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-0-0x000007FEF69EE000-0x000007FEF69EF000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-2-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-12-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

Filesize
9.6MB

Download