HawkEye
π Published: 2026-04-18 12:35 | π Last Updated: 2026-05-08 13:15
https://cyberdefenders.org/blueteam-ctf-challenges/hawkeye/
HawkEye is a type of credential-stealing Trojan malware (spyware) that functions primarily as a keylogger, designed to steal sentitive data from victims. Itβs have been active since 2013 and is sold on dark web forum as MaaS.
Basic triageβ
| 10.4.10.132 | 217.182.138.150 | |
|---|---|---|
| 10.4.10.4 | ||
| 23.229.162.69 | ||
| 239.255.255.250 | ||
| 224.0.0.252 | ||
| 216.58.193.131 |
Q1 How many packets does the capture have?β
4003
Q2 At what time was the first packet captured (UTC)?β
2019-04-10 20:37:07 UTC
Q3 What is the duration of the capture?β
01:03:41
Q4 What is the most active computer at the link level?β
00:08:02:1c:47:ae
Q5 Manufacturer of the NIC of the most active system at the link level?β
Hewlett-Packard
Q6 Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?β
Palo Alto

Q7 The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?β

3
Q8 What is the name of the most active computer at the network level?β
10.4.10.132 [BEIJING-5CD1-PC] [beijing-5cd1-pc] [Beijing-5cd1-PC] (Windows)
Q9 What is the IP of the organization's DNS server?β
Using the dns filter, check for the destination IP, we can easily figure out:

10.4.10.4
Q10 What domain is the victim asking about in packet 204?β
proforma-invoices.com: type A, class IN
Q11 What is the IP of the domain in the previous question?β
proforma-invoices.com: type A, class IN, addr 217.182.138.150
Q12 Indicate the country to which the IP in the previous section belongs.β
using whois website like: ipinfo
france

Q13 What operating system does the victim's computer run?β
Q14 What is the name of the malicious file downloaded by the accountant?β

Request URI: /proforma/tkraw_Protected99.exe
Q15 What is the md5 hash of the downloaded file?β
Using networkminer to extract the file

71826ba081e303866ce2a2534491a2f7
Q16 What software runs the webserver that hosts the malware?β
http contains "This programβ to find the packet with executable file follow TCP stream

LiteSpeed
Q17 What is the public IP of the victim's computer?β
To know the public ip, attacker have to navigate to the internet:
http contains "ipβ
Then follow the TCP stream

173.66.146.112
Q18 In which country is the email server to which the stolen information is sent?β


United States
Q19 Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?β


Q20 To which email account is the stolen information sent?β

Q21 What is the password used by the malware to send the email?β
The password is encoded with base64
Sales@23
i also extracted the email and decode the content
HawkEye Keylogger - Reborn v9
Passwords Logs
roman.mcguire \ BEIJING-5CD1-PC
==================================================
URL : https://login.aol.com/account/challenge/password
Web Browser : Internet Explorer 7.0 - 9.0
User Name : roman.mcguire914@aol.com
Password : P@ssw0rd$
Password Strength : Very Strong
User Name Field :
Password Field :
Created Time :
Modified Time :
Filename :
==================================================
==================================================
URL : https://www.bankofamerica.com/
Web Browser : Chrome
User Name : roman.mcguire
Password : P@ssw0rd$
Password Strength : Very Strong
User Name Field : onlineId1
Password Field : passcode1
Created Time : 4/10/2019 2:35:17 AM
Modified Time :
Filename : C:\Users\roman.mcguire\AppData\Local\Google\Chrome\User Data\Default\Login Data
==================================================
==================================================
Name : Roman McGuire
Application : MS Outlook 2002/2003/2007/2010
Email : roman.mcguire@pizzajukebox.com
Server : pop.pizzajukebox.com
Server Port : 995
Secured : No
Type : POP3
User : roman.mcguire
Password : P@ssw0rd$
Profile : Outlook
Password Strength : Very Strong
SMTP Server : smtp.pizzajukebox.com
SMTP Server Port : 587
==================================================
Q22 Which malware variant exfiltrated the data?β
HawkEye Keylogger - Reborn v9
Q23 What are the bankofamerica access credentials? (username:password)β
User Name : roman.mcguire
Password : P@ssw0rd$
Q24 Every how many minutes does the collected data get exfiltrated?β

In SMTP, when a client want to send an email, first they need to connect with the email server and send a HELLO (for earlier version) or EHLO (extended HELLO). So we use the filtersmtp.req.command == "EHLOβ to extract when the attacker initial a new session. We can see each session is 10 minutes apart.
10