Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 23:07
Static task
static1
Behavioral task
behavioral1
Sample
01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe
-
Size
272KB
-
MD5
01df36c8891a9ce3570cad7f06bc2914
-
SHA1
8fb82853c826f20245bba22edcb0d963ef04f624
-
SHA256
2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958
-
SHA512
66636dc4f45898d8aa2fd1aabf6f027fd4a47dcbba2c62fa9246207a6e8a86c0ca5c40e8f5ecf76e5625ab97755b76e3f169167d3a3b0a582f6dcda7f8d7e8e3
-
SSDEEP
6144:AIFpoLPsjOe5Rq2btO4oKAOSK+z32E2UomN25:hOe5A2gOJG7N25
Malware Config
Extracted
emotet
Epoch3
49.243.9.118:80
162.241.41.111:7080
190.85.46.52:7080
162.144.42.60:8080
157.245.138.101:7080
103.133.66.57:443
167.71.227.113:8080
80.200.62.81:20
78.186.65.230:80
185.142.236.163:443
78.114.175.216:80
202.166.170.43:80
37.205.9.252:7080
118.243.83.70:80
116.202.10.123:8080
223.135.30.189:80
120.51.34.254:80
139.59.61.215:443
8.4.9.137:8080
202.153.220.157:80
179.5.118.12:80
75.127.14.170:8080
45.177.120.37:8080
41.185.29.128:8080
79.133.6.236:8080
192.241.220.183:8080
203.153.216.178:7080
115.176.16.221:80
113.161.148.81:80
178.33.167.120:8080
183.77.227.38:80
46.105.131.68:8080
181.95.133.104:80
93.20.157.143:80
172.105.78.244:8080
139.59.12.63:8080
190.192.39.136:80
41.212.89.128:80
27.73.70.219:8080
109.206.139.119:80
192.163.221.191:8080
113.160.248.110:80
182.227.240.189:443
185.208.226.142:8080
126.126.139.26:443
185.80.172.199:80
103.229.73.17:8080
5.79.70.250:8080
95.216.205.155:8080
190.194.12.132:80
37.46.129.215:8080
51.38.201.19:7080
195.201.56.70:8080
175.103.38.146:80
73.55.128.120:80
74.208.173.91:8080
189.150.209.206:80
91.83.93.103:443
86.57.216.23:80
36.91.44.183:80
181.80.129.181:80
50.116.78.109:8080
14.241.182.160:80
60.125.114.64:443
113.156.82.32:80
190.191.171.72:80
67.121.104.51:20
111.89.241.139:80
220.106.127.191:443
46.32.229.152:8080
115.79.59.157:80
58.27.215.3:8080
192.210.217.94:8080
118.33.121.37:80
169.1.211.133:80
54.38.143.245:8080
198.57.203.63:8080
138.201.45.2:8080
172.96.190.154:8080
143.95.101.72:8080
45.239.204.100:80
103.93.220.182:80
185.86.148.68:443
119.92.77.17:80
186.20.52.237:80
115.79.195.246:80
223.17.215.76:80
77.74.78.80:443
113.203.238.130:80
220.147.247.145:80
153.229.219.1:443
187.189.66.200:8080
103.80.51.61:8080
27.7.14.122:80
200.116.93.61:80
182.253.83.234:7080
91.75.75.46:80
128.106.187.110:80
113.193.239.51:443
180.148.4.130:8080
157.7.164.178:8081
88.247.58.26:80
37.187.100.220:7080
Signatures
-
resource yara_rule behavioral2/memory/1596-0-0x00000000007B0000-0x00000000007C2000-memory.dmp emotet behavioral2/memory/1596-4-0x0000000002270000-0x0000000002280000-memory.dmp emotet behavioral2/memory/1596-7-0x00000000007A0000-0x00000000007AF000-memory.dmp emotet behavioral2/memory/4156-14-0x0000000002190000-0x00000000021A0000-memory.dmp emotet behavioral2/memory/4156-10-0x0000000002170000-0x0000000002182000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
pid Process 4156 netlogon.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\itircl\netlogon.exe 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe 4156 netlogon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1596 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1596 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe 4156 netlogon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1596 wrote to memory of 4156 1596 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe 85 PID 1596 wrote to memory of 4156 1596 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe 85 PID 1596 wrote to memory of 4156 1596 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\itircl\netlogon.exe"C:\Windows\SysWOW64\itircl\netlogon.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD501df36c8891a9ce3570cad7f06bc2914
SHA18fb82853c826f20245bba22edcb0d963ef04f624
SHA2562b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958
SHA51266636dc4f45898d8aa2fd1aabf6f027fd4a47dcbba2c62fa9246207a6e8a86c0ca5c40e8f5ecf76e5625ab97755b76e3f169167d3a3b0a582f6dcda7f8d7e8e3