Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe
-
Size
104KB
-
MD5
0166b94d550cef44cd2cf01699716927
-
SHA1
1420b54a705074ffb3d5f91aa4a06bbcbc3bc307
-
SHA256
011388a47db360ac0943aac87c6e53d1a8f74798e446b72ad777f0211c6b06a9
-
SHA512
58657475f68abb926017dfb4b06de212b778595519c418133f8efb18b0c839e38f837ab297c2c90c8ede0c813881c8da612ac652c6e2178d04f6dcad66dc929c
-
SSDEEP
3072:iNOlUI7W7YGweSGXAhg5domGX9LpV049iBVBJ53Mj:AwUIynwev5ddGNVe49M7Lm
Malware Config
Extracted
emotet
Epoch3
115.176.16.221:80
45.79.16.230:7080
145.239.169.32:7080
190.85.46.52:7080
180.26.62.115:443
179.5.118.12:80
189.160.188.97:80
5.79.70.250:8080
126.126.139.26:443
41.84.243.145:80
79.133.6.236:8080
139.59.12.63:8080
95.216.205.155:8080
45.177.120.37:8080
54.38.143.245:8080
157.7.164.178:8081
41.212.89.128:80
50.116.78.109:8080
75.127.14.170:8080
49.243.9.118:80
60.125.114.64:443
181.95.133.104:80
192.210.217.94:8080
103.229.73.17:8080
78.114.175.216:80
185.86.148.68:443
200.120.241.238:80
37.205.9.252:7080
178.33.167.120:8080
143.95.101.72:8080
103.48.68.173:80
46.32.229.152:8080
172.105.78.244:8080
120.51.34.254:80
192.163.221.191:8080
223.133.20.171:80
172.96.190.154:8080
113.156.82.32:80
51.38.201.19:7080
119.92.77.17:80
103.80.51.61:8080
115.79.195.246:80
198.57.203.63:8080
181.122.154.240:80
37.210.220.95:80
91.83.93.103:443
41.185.29.128:8080
190.190.15.20:80
37.187.100.220:7080
46.105.131.68:8080
58.27.215.3:8080
128.106.187.110:80
220.147.247.145:80
190.101.48.116:80
185.208.226.142:8080
202.166.170.43:80
115.78.11.155:80
192.241.220.183:8080
36.91.44.183:80
8.4.9.137:8080
182.227.240.189:443
190.194.12.132:80
202.188.218.82:80
221.184.46.216:80
2.144.244.204:80
103.133.66.57:443
203.153.216.178:7080
182.253.83.234:7080
88.247.58.26:80
76.18.16.210:80
223.17.215.76:80
138.201.45.2:8080
185.142.236.163:443
67.121.104.51:20
162.144.42.60:8080
113.161.148.81:80
167.71.227.113:8080
195.201.56.70:8080
74.208.173.91:8080
77.74.78.80:443
157.245.138.101:7080
113.160.248.110:80
189.150.209.206:80
37.46.129.215:8080
181.137.229.1:80
116.202.10.123:8080
187.189.66.200:8080
91.75.75.46:80
80.200.62.81:20
117.247.235.44:80
202.153.220.157:80
113.193.239.51:443
Signatures
-
resource yara_rule behavioral2/memory/3284-0-0x0000000000AF0000-0x0000000000B02000-memory.dmp emotet behavioral2/memory/3284-4-0x00000000023C0000-0x00000000023D0000-memory.dmp emotet behavioral2/memory/3284-7-0x0000000000AE0000-0x0000000000AEF000-memory.dmp emotet behavioral2/memory/400-10-0x00000000026F0000-0x0000000002702000-memory.dmp emotet behavioral2/memory/400-14-0x0000000002710000-0x0000000002720000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
pid Process 400 PSModuleDiscoveryProvider.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msrd2x40\PSModuleDiscoveryProvider.exe 0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3284 0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3284 0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe 3284 0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe 400 PSModuleDiscoveryProvider.exe 400 PSModuleDiscoveryProvider.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3284 wrote to memory of 400 3284 0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe 86 PID 3284 wrote to memory of 400 3284 0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe 86 PID 3284 wrote to memory of 400 3284 0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0166b94d550cef44cd2cf01699716927_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\msrd2x40\PSModuleDiscoveryProvider.exe"C:\Windows\SysWOW64\msrd2x40\PSModuleDiscoveryProvider.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD50166b94d550cef44cd2cf01699716927
SHA11420b54a705074ffb3d5f91aa4a06bbcbc3bc307
SHA256011388a47db360ac0943aac87c6e53d1a8f74798e446b72ad777f0211c6b06a9
SHA51258657475f68abb926017dfb4b06de212b778595519c418133f8efb18b0c839e38f837ab297c2c90c8ede0c813881c8da612ac652c6e2178d04f6dcad66dc929c