1/11 itaymigdal HawkEye github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md Malware Name File Type SHA256 HawkEye x32 exe (.NET) b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a Analysis process The file is a Dotnet PE: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md 2/11 On execution the file spawns a child process of the legitimate Dotnet AppLaunch.exe: There is only one reason to do that - Process Hollowing (A.K.A RunPE). As i learned from the great OALabs channel, whenever you want to break with a dubugger on an injection to a remote process, CreateProcessInternalW and WriteProcessMemory are the first calls that you want to put a break on. doing as i learned gave me a quick treat: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/1.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/2.PNG https://www.youtube.com/c/OALabs https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/3.PNG 3/11 The malware is calling to CreateProcessInternalW , pass AppLaunch.exe as a parameter, and "4" as seventh argument which will make the process in suspended mode (Process Hollowing creates a process in suspended mode so it can hollows out the process, inject, and then execute). We could manually find the unpacked PE in memory and dump it, and we also can be lazy and let great Hollows_Hunter.exe do it for us: 😊 Dropping the unpacked (Dotnet as well) to Dnspy hollows out our eyes 😨: Not sure if the file dumped successfully or this one is perfectly obfuscated. Trying to deobfuscate with De4dot: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/4.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/5.PNG 4/11 is throwing an error.. a closer look at the file in Dnspy reveals the obfuscator which apparently is not supported / known by De4dot: Some googling on deobfuscating ConfuserEx gives us this project which adds to De4dot exactly this capability: Now the file is dumped and cleand (pretty much) 😎. Analyzing the code (which is still a bit obfuscated) reveals that this is a kelogger / stealer (with some RAT capabilities) named HawkEye Reborn version 8: Description from Malpedia: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/6.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/7.PNG https://github.com/ViRb3/de4dot-cex https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/8.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/9.PNG https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger 5/11 HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums. From here on i used only static analysis on the unpacked sample Anti-Analysis capabilities Checks if it runs under process monitor software: Checks if it runs under Sandboxie (SbieDll.dll) or Wireshark: Disables Task Manager, Cmd, and Regedit: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/10.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/11.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/12.PNG 6/11 Sets hidden + system attributes for itself: The malware has the functionality to block websites by overriding the Hosts file and redirect them to the localhost address: Stealing capabilities The malware has Keylogging capabilities (Also called HawkEye Keylogger): https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/13.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/14.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/15.PNG 7/11 Takes screenshots of the infected computer: Steals Chrome browser data: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/16.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/17.PNG 8/11 Steals Firefox browser data: Steals CoreFTP software data: Steals Minecraft data: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/18.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/19.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/20.PNG 9/11 Collects a plenty of more information: internal & external address, geolocation, installed software, clipboard content, screenshots, passwords and more: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/21.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/22.PNG 10/11 And post all the data to the C2: C2: pomf.cat Persistence: The malware persist itself via a run key: More capabilities: The malware uses P/Invoke calls to native libraries to extend the capabilities and harden the analysis: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/23.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/24.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/25.PNG 11/11 Seems like the next commands are used to be written into a .bat file that responsible for the persistence via the run key, it's executes the malware, and then possibly deletes itself (and written back next execution, depending if is written to "run" or "runonce"): Also, the malware seems to inject itself into a remote process due to these API calls: That's it for today, hope you enjoyed ☺ https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/26.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/27.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/img/28.PNG