2017-06-12 - HAWKEYE INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-12-Hawkeye-infection-traffic.pcap.zip 600.1 kB (600,094 bytes)
- 2017-06-12-Hawkeye-infection-traffic.pcap (712,789 bytes)
- 2017-06-12-email-and-malware-from-Hawkeye-infection.zip 904.3 kB (904,323 bytes)
- 2017-06-12-Hawkeye-malspam.eml (253,322 bytes)
- Payment2017.doc (180,224 bytes)
- 2017-06-12-Hawkeye-malware.exe (661,480 bytes)
EMAILS
Shown above: Screen shot from the email.
EMAIL HEADERS:
- Date: Monday 2017-06-12 at 07:43 UTC
- From: Customer Service Pixel <cspixel@lyto[.]mobi>
- Subject: Confirmation Required
- Attachment: Payment2017.doc
Shown above: Malicious Word document from the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 192.185.41[.]237 port 80 - weekendnerd[.]com - GET /supredo.exe [HTTP request for Hawkeye malware after enabling macros on the Word document]
- whatismyipaddress[.]com - Post-infection location check
- port 587 - smtp.mail[.]com - Hawkeye data exfiltration email sent from the infected host via encrypted SMTP
FILE HASHES
WORD DOCUMENT FROM THE EMAIL:
- SHA256 hash: 1ad96e21f18c6c337e75d05d632ea020e409921784249a919f945056d30b1e0c
File size: 180,224 bytes
File name: Payment2017.doc
FOLLOW-UP MALWARE (HAWKEYE):
- SHA256 hash: f5f915bab2da6d58e9c07823cd89594f631425a041cd2e642b5f1a64ca23203e
File size: 661,480 bytes
HTTP request: weekendnerd[.]com/supredo.exe
Location on the infected Windows host: C:\Users\[username]\AppData\Roaming\Cpudlls.exe
Click here to return to the main page.