Analysis
-
max time kernel
137s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 15:17
Static task
static1
Behavioral task
behavioral1
Sample
010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe
-
Size
104KB
-
MD5
010e81c2b79d1c58215ae94412378df8
-
SHA1
10608b43019bed12b5592041c0e1dd57e6087b00
-
SHA256
e5f6bdd09497595c48598842d93864c82be108ef96134a84a03ed7a4c749de8e
-
SHA512
478df296282f48402309367d67d6884b1fd1d5edff043afdb7a784c96ea2a43584ca5aa00de943e85a89ede5dc039452a08711df56523293145e1da458ab1088
-
SSDEEP
3072:iNOlUI7W7YdweSGXAhg5domGX9LpV049iBVBJ53Mj:AwUIywwev5ddGNVe49M7Lm
Malware Config
Extracted
emotet
Epoch3
115.176.16.221:80
45.79.16.230:7080
145.239.169.32:7080
190.85.46.52:7080
180.26.62.115:443
179.5.118.12:80
189.160.188.97:80
5.79.70.250:8080
126.126.139.26:443
41.84.243.145:80
79.133.6.236:8080
139.59.12.63:8080
95.216.205.155:8080
45.177.120.37:8080
54.38.143.245:8080
157.7.164.178:8081
41.212.89.128:80
50.116.78.109:8080
75.127.14.170:8080
49.243.9.118:80
60.125.114.64:443
181.95.133.104:80
192.210.217.94:8080
103.229.73.17:8080
78.114.175.216:80
185.86.148.68:443
200.120.241.238:80
37.205.9.252:7080
178.33.167.120:8080
143.95.101.72:8080
103.48.68.173:80
46.32.229.152:8080
172.105.78.244:8080
120.51.34.254:80
192.163.221.191:8080
223.133.20.171:80
172.96.190.154:8080
113.156.82.32:80
51.38.201.19:7080
119.92.77.17:80
103.80.51.61:8080
115.79.195.246:80
198.57.203.63:8080
181.122.154.240:80
37.210.220.95:80
91.83.93.103:443
41.185.29.128:8080
190.190.15.20:80
37.187.100.220:7080
46.105.131.68:8080
58.27.215.3:8080
128.106.187.110:80
220.147.247.145:80
190.101.48.116:80
185.208.226.142:8080
202.166.170.43:80
115.78.11.155:80
192.241.220.183:8080
36.91.44.183:80
8.4.9.137:8080
182.227.240.189:443
190.194.12.132:80
202.188.218.82:80
221.184.46.216:80
2.144.244.204:80
103.133.66.57:443
203.153.216.178:7080
182.253.83.234:7080
88.247.58.26:80
76.18.16.210:80
223.17.215.76:80
138.201.45.2:8080
185.142.236.163:443
67.121.104.51:20
162.144.42.60:8080
113.161.148.81:80
167.71.227.113:8080
195.201.56.70:8080
74.208.173.91:8080
77.74.78.80:443
157.245.138.101:7080
113.160.248.110:80
189.150.209.206:80
37.46.129.215:8080
181.137.229.1:80
116.202.10.123:8080
187.189.66.200:8080
91.75.75.46:80
80.200.62.81:20
117.247.235.44:80
202.153.220.157:80
113.193.239.51:443
Signatures
-
resource yara_rule behavioral2/memory/2912-0-0x00000000023A0000-0x00000000023B2000-memory.dmp emotet behavioral2/memory/2912-4-0x00000000023C0000-0x00000000023D0000-memory.dmp emotet behavioral2/memory/2912-7-0x0000000000AF0000-0x0000000000AFF000-memory.dmp emotet behavioral2/memory/3968-14-0x0000000002710000-0x0000000002720000-memory.dmp emotet behavioral2/memory/3968-10-0x0000000002160000-0x0000000002172000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
pid Process 3968 racpldlg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvcrt\racpldlg.exe 010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5008 2912 WerFault.exe 82 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe 3968 racpldlg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2912 010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2912 010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe 2912 010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe 3968 racpldlg.exe 3968 racpldlg.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2912 wrote to memory of 3968 2912 010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe 86 PID 2912 wrote to memory of 3968 2912 010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe 86 PID 2912 wrote to memory of 3968 2912 010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\010e81c2b79d1c58215ae94412378df8_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\msvcrt\racpldlg.exe"C:\Windows\SysWOW64\msvcrt\racpldlg.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 9922⤵
- Program crash
PID:5008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2912 -ip 29121⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5010e81c2b79d1c58215ae94412378df8
SHA110608b43019bed12b5592041c0e1dd57e6087b00
SHA256e5f6bdd09497595c48598842d93864c82be108ef96134a84a03ed7a4c749de8e
SHA512478df296282f48402309367d67d6884b1fd1d5edff043afdb7a784c96ea2a43584ca5aa00de943e85a89ede5dc039452a08711df56523293145e1da458ab1088