Poor Mans Malware – HawkEye Keylogger Reborn

May 27, 2016

I was notified of a recent sample which has been dubbed as a “reborn” version of Hawkeye Keylogger. The developer in question repeatedly shows poor understanding of web application security and lacks any real innovation in keylogger malware. Despite this many decide to purchase this malware for many reasons. Many different users have taken on the project of ‘Hawkeye’, the latest is a malware developer who created the quite laughable ‘iSpy’ software.

Hash – SHA256 :


The startup is in the CurrentVersion/Run folder in registry. The startup name is statically set as ‘WindowsUpdate.exe’, surprisingly this is one of the choices it looks like a user cannot set in a builder. This makes it fairly identifiable, I don’t think an executable named ‘WindowsUpdate.exe’ would be hard to detect.

aThe configuration is done in the constructor, although the credentials are encrypted, it is trivial in decrypting them. Most likely this is used to make it harder for systems to detect it as a keylogger mailing back information. It isn’t too much of a hassle to decrypt. All of the main operations within Hawkeye are done within ‘form1’, within form1 is a simple method name called Decrypt. There also other decryption methods like AES_Decrypt and DES_Decrypt. The starting point for encrypted strings here is always Decrypt.

bIt resides in Application data and leaves a fairly messy trail, while calling itself WindowsUpdate.exe it also requires pid.txt and pidloc.txt in application data aswell. Other files that cannot be changed by the user and can be detected by behaviour. This is done on the loading of ‘form1’.

c‘HawkEyeKeylogger’ will often be in memory too due it being used in decrypting the strings which is also done once the form is loaded. This isn’t a great start for malware that wants to stay stealthy is it?

dWith keyloggers they usually store the credentials to login in the executable, as this does, FTP and Email are two of the three methods used to transfer keylog information and files deemed valuable (Minecraft, Steam, Bitcoin). One other option which seems like a good option but isn’t in this case is a web panel. Transferring information to a server via PHP seems like an intelligent advancement in keylogging ability, but don’t hold your breath. The hacker could hack the hacker. There is only one PHP file needed for HawkEye to ‘work’, see if you can find the issue.

eThanks Hawkeye! The protection for Hawkeye is no better, it decides to search for task manager by going through all the processes and seeing the string content. It will then attempt to kill the process. This is also done for regedit, cmd and msconfig.

fIt also attempts to force users to login to there Steam by removing files involving the login process and then does the same process for killing a process.

gLike most loggers it uses other programs to find files of importance which is why this stub without a crypter is 576kb. It includes mailpv, WebBrowserPassView and cExecute all in its resources for use within the main program. If there’s one thing to note from this, is that keyloggers are and always will be terrible peices of malware. Easy to detect and great for defense. This was highlighted when I was able to see every purchaser of iSpy at one point, viewing their email and transaction information.