Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 09:46
Static task
static1
Behavioral task
behavioral1
Sample
008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe
-
Size
508KB
-
MD5
008009719177a77c02587f6bb3feddc1
-
SHA1
d40ffe04736177282202a97966e6aeaf4345b196
-
SHA256
90dcabefe04c6d3d10a41d11424df21cb204a1ba9096b49655dbe2a03c8ec374
-
SHA512
967f3c29f7dcb0c16d6e2c479c8e91a1f016ee47834fd551a56dcaa5a02530e822494e49d6ba5b55720fa137e80359f5bb1c15b7a37c000cd5c7b2593187945c
-
SSDEEP
6144:ZD4tnT+zJou0QgC82pGejtQ930xbYVzv2rsFBViXRn3eoEC9g76nTyKadUQF/yIu:Ye2CbYVz+wWeoEC9zyhdX+4W
Malware Config
Extracted
emotet
Epoch3
108.184.9.44:80
88.247.26.78:80
181.46.176.38:80
164.68.115.146:8080
5.189.148.98:8080
46.105.128.215:8080
69.30.205.162:7080
46.105.131.68:8080
85.235.219.74:80
37.46.129.215:8080
153.190.41.185:80
115.179.91.58:80
100.38.11.243:80
119.57.36.54:8080
124.150.175.129:8080
139.59.12.63:8080
82.146.55.23:7080
123.142.37.165:80
95.216.212.157:8080
200.41.121.69:443
186.84.173.136:8080
175.127.140.68:80
190.5.162.204:80
45.129.121.222:443
91.117.31.181:80
87.9.181.247:80
190.101.87.170:80
67.254.196.78:443
103.122.75.218:80
211.218.105.101:80
187.233.220.93:443
86.70.224.211:80
77.245.12.212:80
181.47.235.26:993
190.171.135.235:80
212.129.14.27:8080
37.59.24.25:8080
78.46.87.133:8080
201.183.251.100:80
181.44.166.242:80
46.17.6.116:8080
158.69.167.246:8080
182.176.116.139:995
78.186.102.195:80
95.255.140.89:443
67.171.182.231:80
81.82.247.216:80
189.61.200.9:443
24.27.122.202:80
86.6.123.109:80
162.144.46.90:8080
89.215.225.15:80
216.75.37.196:8080
92.16.222.156:80
191.100.24.201:50000
200.71.112.158:53
165.100.148.200:443
189.225.211.171:443
72.69.99.47:80
59.158.164.66:443
72.27.212.209:8080
210.224.65.117:80
98.15.140.226:80
110.2.118.164:80
124.150.175.133:80
120.51.83.89:443
60.53.3.153:8080
212.112.113.235:80
24.28.178.71:80
128.92.54.20:80
37.70.131.107:80
201.196.15.79:990
175.103.239.50:80
195.250.143.182:80
190.161.67.63:80
72.51.153.27:80
192.241.220.183:8080
192.161.190.171:8080
187.250.92.82:80
190.189.79.73:80
113.52.135.33:7080
185.244.167.25:443
192.210.217.94:8080
82.79.244.92:80
50.116.78.109:8080
96.234.38.186:8080
188.230.134.205:80
172.90.70.168:443
190.146.14.143:443
58.93.151.148:80
217.181.139.237:443
110.142.161.90:80
163.172.97.112:8080
83.110.107.243:443
172.104.70.207:8080
51.38.134.203:8080
142.93.87.198:8080
91.117.131.122:80
193.33.38.208:443
203.153.216.178:7080
23.253.207.142:8080
95.216.207.86:7080
221.154.59.110:80
119.159.150.176:443
42.51.192.231:8080
178.134.1.238:80
1.32.54.12:8080
86.98.157.3:80
85.109.190.235:443
177.103.201.23:80
220.78.29.88:80
177.103.240.93:80
138.197.140.163:8080
176.58.93.123:80
51.77.113.97:8080
83.156.88.159:80
210.111.160.220:80
41.77.74.214:443
174.57.150.13:8080
78.187.204.70:80
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat anglespecial.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecisionReason = "1" anglespecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9 anglespecial.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" anglespecial.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" anglespecial.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings anglespecial.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad anglespecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 anglespecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 anglespecial.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix anglespecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348} anglespecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecisionReason = "1" anglespecial.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadNetworkName = "Network 3" anglespecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecisionTime = d0a259bfbe97da01 anglespecial.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections anglespecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" anglespecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 anglespecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecisionTime = d0a259bfbe97da01 anglespecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecision = "0" anglespecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\e2-d1-d0-61-ff-e9 anglespecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecision = "0" anglespecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings anglespecial.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2636 anglespecial.exe 2636 anglespecial.exe 2636 anglespecial.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2600 008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2188 008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe 2600 008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe 2572 anglespecial.exe 2636 anglespecial.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2600 2188 008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2600 2188 008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2600 2188 008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2600 2188 008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe 28 PID 2572 wrote to memory of 2636 2572 anglespecial.exe 30 PID 2572 wrote to memory of 2636 2572 anglespecial.exe 30 PID 2572 wrote to memory of 2636 2572 anglespecial.exe 30 PID 2572 wrote to memory of 2636 2572 anglespecial.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\008009719177a77c02587f6bb3feddc1_JaffaCakes118.exe--e17daa7f2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Windows\SysWOW64\anglespecial.exe"C:\Windows\SysWOW64\anglespecial.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\anglespecial.exe--45752ef82⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2636
-