Skip to main content

HawkEye

πŸ“… Published: 2026-04-18 12:35 | πŸ”„ Last Updated: 2026-05-08 13:15

https://cyberdefenders.org/blueteam-ctf-challenges/hawkeye/

HawkEye is a type of credential-stealing Trojan malware (spyware) that functions primarily as a keylogger, designed to steal sentitive data from victims. It’s have been active since 2013 and is sold on dark web forum as MaaS.

Basic triage​

10.4.10.132217.182.138.150
10.4.10.4
23.229.162.69
239.255.255.250
224.0.0.252
216.58.193.131

Q1 How many packets does the capture have?​

4003

Q2 At what time was the first packet captured (UTC)?​

2019-04-10 20:37:07 UTC

Q3 What is the duration of the capture?​

01:03:41

Q4 What is the most active computer at the link level?​

00:08:02:1c:47:ae

Q5 Manufacturer of the NIC of the most active system at the link level?​

Hewlett-Packard

Q6 Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?​

Palo Alto

Q7 The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?​

3

Q8 What is the name of the most active computer at the network level?​

10.4.10.132 [BEIJING-5CD1-PC] [beijing-5cd1-pc] [Beijing-5cd1-PC] (Windows)

Q9 What is the IP of the organization's DNS server?​

Using the dns filter, check for the destination IP, we can easily figure out:

10.4.10.4

Q10 What domain is the victim asking about in packet 204?​

proforma-invoices.com: type A, class IN

Q11 What is the IP of the domain in the previous question?​

proforma-invoices.com: type A, class IN, addr 217.182.138.150

Q12 Indicate the country to which the IP in the previous section belongs.​

using whois website like: ipinfo

france

Q13 What operating system does the victim's computer run?​

Q14 What is the name of the malicious file downloaded by the accountant?​

Request URI: /proforma/tkraw_Protected99.exe

Q15 What is the md5 hash of the downloaded file?​

Using networkminer to extract the file

71826ba081e303866ce2a2534491a2f7

Q16 What software runs the webserver that hosts the malware?​

http contains "This program” to find the packet with executable file follow TCP stream

LiteSpeed

Q17 What is the public IP of the victim's computer?​

To know the public ip, attacker have to navigate to the internet:

http contains "ip”

Then follow the TCP stream

173.66.146.112

Q18 In which country is the email server to which the stolen information is sent?​

United States

Q19 Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?​

Q20 To which email account is the stolen information sent?​

Q21 What is the password used by the malware to send the email?​

The password is encoded with base64

Sales@23

i also extracted the email and decode the content

HawkEye Keylogger - Reborn v9
Passwords Logs
roman.mcguire \ BEIJING-5CD1-PC

==================================================
URL : https://login.aol.com/account/challenge/password
Web Browser : Internet Explorer 7.0 - 9.0
User Name : roman.mcguire914@aol.com
Password : P@ssw0rd$
Password Strength : Very Strong
User Name Field :
Password Field :
Created Time :
Modified Time :
Filename :
==================================================

==================================================
URL : https://www.bankofamerica.com/
Web Browser : Chrome
User Name : roman.mcguire
Password : P@ssw0rd$
Password Strength : Very Strong
User Name Field : onlineId1
Password Field : passcode1
Created Time : 4/10/2019 2:35:17 AM
Modified Time :
Filename : C:\Users\roman.mcguire\AppData\Local\Google\Chrome\User Data\Default\Login Data
==================================================

==================================================
Name : Roman McGuire
Application : MS Outlook 2002/2003/2007/2010
Email : roman.mcguire@pizzajukebox.com
Server : pop.pizzajukebox.com
Server Port : 995
Secured : No
Type : POP3
User : roman.mcguire
Password : P@ssw0rd$
Profile : Outlook
Password Strength : Very Strong
SMTP Server : smtp.pizzajukebox.com
SMTP Server Port : 587
==================================================


Q22 Which malware variant exfiltrated the data?​

HawkEye Keylogger - Reborn v9

Q23 What are the bankofamerica access credentials? (username:password)​

User Name : roman.mcguire
Password : P@ssw0rd$

Q24 Every how many minutes does the collected data get exfiltrated?​

In SMTP, when a client want to send an email, first they need to connect with the email server and send a HELLO (for earlier version) or EHLO (extended HELLO). So we use the filtersmtp.req.command == "EHLO” to extract when the attacker initial a new session. We can see each session is 10 minutes apart.

10