hawkeye_reborn | 8f9d2e33c94bbc8fe8b0fcab9053188b913b2c933aa705da4cc531c849413b4b

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Size

804KB
MD5

794572b7847795cca2d50681b80552a2
SHA1

98efe39680402d00bdf35f0e5d8e0a2aee89a940
SHA256

8f9d2e33c94bbc8fe8b0fcab9053188b913b2c933aa705da4cc531c849413b4b
SHA512

7282f2f91a4ea85efc52e57716de52c5c1891cbd2fe17ede01f3d38105947a642130fe2b8dc675b36850e632535c3ea923bc17925faba7a4ce37908fafed603d
SSDEEP

12288:mV0sGl6QsJCP6RaO+Y0/fRXJScFzg2hOkKIgQjXJjlP:maPoQI+6RaOsDrFg24ydZRP

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/1412-24-0x0000000005CD0000-0x0000000005D60000-memory.dmp	m00nd3v_logger
behavioral2/memory/2004-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4060-44-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4060-45-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4060-47-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1644-33-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/1644-35-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/1644-36-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/1644-42-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1644-33-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1644-35-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1644-36-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1644-42-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4060-44-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4060-45-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4060-47-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rydjydtku.url 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

vbc.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rydjydtku.url	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 1412 set thread context of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 2004 set thread context of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 set thread context of 4060	2004	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exevbc.exeRegAsm.exe

pid	process
1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
1644	vbc.exe
2004	RegAsm.exe
2004	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1412 794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Token: SeDebugPrivilege 2004 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2004 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	RegAsm.exe

pid	process
2004	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

794572b7847795cca2d50681b80552a2_JaffaCakes118.execsc.exeRegAsm.exe

description	pid	process	target process
PID 1412 wrote to memory of 1684	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	csc.exe
PID 1412 wrote to memory of 1684	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	csc.exe
PID 1412 wrote to memory of 1684	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	csc.exe
PID 1684 wrote to memory of 2168	1684	csc.exe	cvtres.exe
PID 1684 wrote to memory of 2168	1684	csc.exe	cvtres.exe
PID 1684 wrote to memory of 2168	1684	csc.exe	cvtres.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 2004	1412	794572b7847795cca2d50681b80552a2_JaffaCakes118.exe	RegAsm.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 1644	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe
PID 2004 wrote to memory of 4060	2004	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\794572b7847795cca2d50681b80552a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\794572b7847795cca2d50681b80552a2_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\50ksfqqd\50ksfqqd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51D9.tmp" "c:\Users\Admin\AppData\Local\Temp\50ksfqqd\CSC54797C01F5AF4182ADE3D85F65B67680.TMP"
3⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7D4E.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8156.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50ksfqqd\50ksfqqd.dll
Filesize
6KB

MD5
f86bb5bbb625ba1df89b275a507acd8e

SHA1
fa16e7ab659b03776294f7c42bc23ae5f2674e5a

SHA256
daa68b4a0580ec114f16481f9b2d9a17ad2da114d55fbd7d6ba972e00a9b20f5

SHA512
a6c0abc7e0fc1be62e8ab9cb73357a0515c213d2d6f2a98565f923e5dbcb182ab1ae653dda776851236f4a29a41c7de2cab45dc8ccab955f456484c2b3584c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\50ksfqqd\50ksfqqd.pdb
Filesize
15KB

MD5
ea914778007a63c48c2295068e75932a

SHA1
4a7a9a5d3e0c342c5d3ba6f24c2e9363869481b9

SHA256
b13687531b24608adf5c09c86b0b2f009652f63772c41c8757430abee2bdca26

SHA512
48ba9bc4cb532abbfcf33891e5657386abe0ae52256f73b91b5c919886adf3aa00f6c2d1f34b374d32b83f1b97a2f92111cece1fe0190646d390865fa42138d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES51D9.tmp
Filesize
1KB

MD5
09e85172a94e32dd509016bc097fbac2

SHA1
e3ef2310d4ae47d7f36d55ecbbb6f653b13a28ab

SHA256
a9a6129735a36a876b3cc14442b081651dcd5b10665573518dcbb0feffc49f49

SHA512
516df775ff89cbf8b96861f170bca3420d443176a6e1eee3ec39b71016ceb4877b3391a341821f62d39b0c1675c2538888f76506e2e844acb4662cc1d1aa1074

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D4E.tmp
Filesize
4KB

MD5
73ddf6cd83c2ad8a2fbb2383e322ffbc

SHA1
05270f8bb7b5cc6ab9a61ae7453d047379089147

SHA256
0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409

SHA512
714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\50ksfqqd\50ksfqqd.0.cs
Filesize
2KB

MD5
4d9fe73afe0fa2bcb6c17e81676ab87e

SHA1
098cb8aaef8c6fe2ca91e697dd510dc7af73f13a

SHA256
5a6e61d92bbc56a411666a1bfd88bfa18718f57f1c46034b73d47c68b8bbe0c7

SHA512
68113fb819029c47aba607782ab87c413ea109c25d9009c665f069ad3826c6f014f0ec58a10f5de57a9ac129be03402ea932ddb28e0d52589112d666e52fa93b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\50ksfqqd\50ksfqqd.cmdline
Filesize
312B

MD5
b5f45f2ccf1d3e1431ceb12f6b704b4c

SHA1
880c6d6bf178a6d1be1f01df04ab2d7730dfa82f

SHA256
5a406da12f08f4f494a29ccc9b7bf49274e0eadf624f6dcb553bd0f610402810

SHA512
2aa618350fdaf1b2acdcd6ac0f25244f7d927fa8b1acb2a8db15c272a57ad3d83af0881b9b7e2e8f1f7d6e81a66fdbcbf53ad1fb67965d501b74de2d03e14842

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\50ksfqqd\CSC54797C01F5AF4182ADE3D85F65B67680.TMP
Filesize
1KB

MD5
aa43b28ba5125c6feb1f9b752494ba35

SHA1
4c63ac2baa331041b3f35c3a1ff4070ab26cf313

SHA256
6b137ccda5054b6179e548b42bd053188a5baaa7e88e4795e60054f3188fc1d7

SHA512
44df38cd6b081d94e2c53c58eaf9da62cc3b8950e2a21c2ce4dc511d87c3538f92d4178efc6a4bd3d5bf9e119f6ab4bfc36de00a615684145d6f1225e6f0b97d

Download Submit
memory/1412-25-0x0000000005E00000-0x0000000005E9C000-memory.dmp

Filesize
624KB

Download
memory/1412-5-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1412-17-0x0000000003110000-0x0000000003118000-memory.dmp

Filesize
32KB

Download
memory/1412-19-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/1412-20-0x0000000005C30000-0x0000000005CCA000-memory.dmp

Filesize
616KB

Download
memory/1412-21-0x00000000055E0000-0x00000000055EC000-memory.dmp

Filesize
48KB

Download
memory/1412-24-0x0000000005CD0000-0x0000000005D60000-memory.dmp

Filesize
576KB

Download
memory/1412-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1412-1-0x0000000000C10000-0x0000000000CC8000-memory.dmp

Filesize
736KB

Download
memory/1412-28-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1644-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1644-35-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1644-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1644-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2004-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2004-31-0x0000000070CF0000-0x00000000712A1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-29-0x0000000070CF2000-0x0000000070CF3000-memory.dmp

Filesize
4KB

Download
memory/2004-30-0x0000000070CF0000-0x00000000712A1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-48-0x0000000070CF2000-0x0000000070CF3000-memory.dmp

Filesize
4KB

Download
memory/2004-49-0x0000000070CF0000-0x00000000712A1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4060-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4060-47-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4060-46-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download