Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 12:39
Static task
static1
Behavioral task
behavioral1
Sample
00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe
-
Size
140KB
-
MD5
00ca5c12fb71d48535adda7d372fd7a2
-
SHA1
7b863a136143365847eb68ecbf88d133fc187096
-
SHA256
f8a55eb897f115038dc538653eaec7582b189547736631fd4dcf82a507b29264
-
SHA512
f8b9ef4b728685e5b3c19b892a4e75c3e00c5955636c6009194dc7e00978ebb004d87f3215672ad18ccb1edbb9150dda5a558d073a64ddb548909a2da46ccb4f
-
SSDEEP
1536:r+NPMRmYB4Vvtn3KP4+tZ3vzTPoHghXV1VCGNvWqYSPZBweW3b1fn6E9mGz4Tk33:iNGuv35+t1cq8uhBwPblxos4Tkl/Ag
Malware Config
Extracted
emotet
Epoch3
49.243.9.118:80
162.241.41.111:7080
190.85.46.52:7080
162.144.42.60:8080
157.245.138.101:7080
103.133.66.57:443
167.71.227.113:8080
80.200.62.81:20
78.186.65.230:80
185.142.236.163:443
78.114.175.216:80
202.166.170.43:80
37.205.9.252:7080
118.243.83.70:80
116.202.10.123:8080
223.135.30.189:80
120.51.34.254:80
139.59.61.215:443
8.4.9.137:8080
202.153.220.157:80
179.5.118.12:80
75.127.14.170:8080
45.177.120.37:8080
41.185.29.128:8080
79.133.6.236:8080
192.241.220.183:8080
203.153.216.178:7080
115.176.16.221:80
113.161.148.81:80
178.33.167.120:8080
183.77.227.38:80
46.105.131.68:8080
181.95.133.104:80
93.20.157.143:80
172.105.78.244:8080
139.59.12.63:8080
190.192.39.136:80
41.212.89.128:80
27.73.70.219:8080
109.206.139.119:80
192.163.221.191:8080
113.160.248.110:80
182.227.240.189:443
185.208.226.142:8080
126.126.139.26:443
185.80.172.199:80
103.229.73.17:8080
5.79.70.250:8080
95.216.205.155:8080
190.194.12.132:80
37.46.129.215:8080
51.38.201.19:7080
195.201.56.70:8080
175.103.38.146:80
73.55.128.120:80
74.208.173.91:8080
189.150.209.206:80
91.83.93.103:443
86.57.216.23:80
36.91.44.183:80
181.80.129.181:80
50.116.78.109:8080
14.241.182.160:80
60.125.114.64:443
113.156.82.32:80
190.191.171.72:80
67.121.104.51:20
111.89.241.139:80
220.106.127.191:443
46.32.229.152:8080
115.79.59.157:80
58.27.215.3:8080
192.210.217.94:8080
118.33.121.37:80
169.1.211.133:80
54.38.143.245:8080
198.57.203.63:8080
138.201.45.2:8080
172.96.190.154:8080
143.95.101.72:8080
45.239.204.100:80
103.93.220.182:80
185.86.148.68:443
119.92.77.17:80
186.20.52.237:80
115.79.195.246:80
223.17.215.76:80
77.74.78.80:443
113.203.238.130:80
220.147.247.145:80
153.229.219.1:443
187.189.66.200:8080
103.80.51.61:8080
27.7.14.122:80
200.116.93.61:80
182.253.83.234:7080
91.75.75.46:80
128.106.187.110:80
113.193.239.51:443
180.148.4.130:8080
157.7.164.178:8081
88.247.58.26:80
37.187.100.220:7080
Signatures
-
resource yara_rule behavioral2/memory/1632-0-0x0000000000670000-0x0000000000682000-memory.dmp emotet behavioral2/memory/1632-4-0x0000000000A10000-0x0000000000A20000-memory.dmp emotet behavioral2/memory/1632-7-0x0000000000550000-0x000000000055F000-memory.dmp emotet behavioral2/memory/5052-14-0x0000000000450000-0x0000000000460000-memory.dmp emotet behavioral2/memory/5052-10-0x00000000004F0000-0x0000000000502000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
pid Process 5052 NtlmShared.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KBDLT\NtlmShared.exe 00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe 5052 NtlmShared.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1632 00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1632 wrote to memory of 5052 1632 00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe 83 PID 1632 wrote to memory of 5052 1632 00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe 83 PID 1632 wrote to memory of 5052 1632 00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00ca5c12fb71d48535adda7d372fd7a2_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\KBDLT\NtlmShared.exe"C:\Windows\SysWOW64\KBDLT\NtlmShared.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD500ca5c12fb71d48535adda7d372fd7a2
SHA17b863a136143365847eb68ecbf88d133fc187096
SHA256f8a55eb897f115038dc538653eaec7582b189547736631fd4dcf82a507b29264
SHA512f8b9ef4b728685e5b3c19b892a4e75c3e00c5955636c6009194dc7e00978ebb004d87f3215672ad18ccb1edbb9150dda5a558d073a64ddb548909a2da46ccb4f