Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe
-
Size
532KB
-
MD5
01564c2faeacef4115a7eb8ba57262c3
-
SHA1
7e111947e90eb0cb5efe018ae88ce26b84cdf462
-
SHA256
308d767f5cc0c83e4bdf1d286d6ffdcac5889ee56d4d91fb01908b163ded2b16
-
SHA512
97fc8b98e675f22ed5b307da26761af0ae929d89876d39512cb57b7d6ca3b5c5e903d701d0af69b742bcdf313cdf35436610a051a4c6a50367104df808e4537c
-
SSDEEP
12288:CUTTrtjvWxsrRlU3epCARYBq5mks/cuie:nhoLepC0Mcui
Malware Config
Extracted
emotet
Epoch3
49.243.9.118:80
162.241.41.111:7080
190.85.46.52:7080
162.144.42.60:8080
157.245.138.101:7080
103.133.66.57:443
167.71.227.113:8080
80.200.62.81:20
78.186.65.230:80
185.142.236.163:443
78.114.175.216:80
202.166.170.43:80
37.205.9.252:7080
118.243.83.70:80
116.202.10.123:8080
223.135.30.189:80
120.51.34.254:80
139.59.61.215:443
8.4.9.137:8080
202.153.220.157:80
179.5.118.12:80
75.127.14.170:8080
45.177.120.37:8080
41.185.29.128:8080
79.133.6.236:8080
192.241.220.183:8080
203.153.216.178:7080
115.176.16.221:80
113.161.148.81:80
178.33.167.120:8080
183.77.227.38:80
46.105.131.68:8080
181.95.133.104:80
93.20.157.143:80
172.105.78.244:8080
139.59.12.63:8080
190.192.39.136:80
41.212.89.128:80
27.73.70.219:8080
109.206.139.119:80
192.163.221.191:8080
113.160.248.110:80
182.227.240.189:443
185.208.226.142:8080
126.126.139.26:443
185.80.172.199:80
103.229.73.17:8080
5.79.70.250:8080
95.216.205.155:8080
190.194.12.132:80
37.46.129.215:8080
51.38.201.19:7080
195.201.56.70:8080
175.103.38.146:80
73.55.128.120:80
74.208.173.91:8080
189.150.209.206:80
91.83.93.103:443
86.57.216.23:80
36.91.44.183:80
181.80.129.181:80
50.116.78.109:8080
14.241.182.160:80
60.125.114.64:443
113.156.82.32:80
190.191.171.72:80
67.121.104.51:20
111.89.241.139:80
220.106.127.191:443
46.32.229.152:8080
115.79.59.157:80
58.27.215.3:8080
192.210.217.94:8080
118.33.121.37:80
169.1.211.133:80
54.38.143.245:8080
198.57.203.63:8080
138.201.45.2:8080
172.96.190.154:8080
143.95.101.72:8080
45.239.204.100:80
103.93.220.182:80
185.86.148.68:443
119.92.77.17:80
186.20.52.237:80
115.79.195.246:80
223.17.215.76:80
77.74.78.80:443
113.203.238.130:80
220.147.247.145:80
153.229.219.1:443
187.189.66.200:8080
103.80.51.61:8080
27.7.14.122:80
200.116.93.61:80
182.253.83.234:7080
91.75.75.46:80
128.106.187.110:80
113.193.239.51:443
180.148.4.130:8080
157.7.164.178:8081
88.247.58.26:80
37.187.100.220:7080
Signatures
-
resource yara_rule behavioral2/memory/1492-0-0x0000000000660000-0x0000000000672000-memory.dmp emotet behavioral2/memory/1492-4-0x0000000000680000-0x0000000000690000-memory.dmp emotet behavioral2/memory/1492-7-0x0000000000640000-0x000000000064F000-memory.dmp emotet behavioral2/memory/2664-14-0x00000000022B0000-0x00000000022C0000-memory.dmp emotet behavioral2/memory/2664-10-0x0000000002290000-0x00000000022A2000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
pid Process 2664 iexpress.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\RegCtrl\iexpress.exe 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe 2664 iexpress.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1492 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1492 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe 2664 iexpress.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1492 wrote to memory of 2664 1492 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe 87 PID 1492 wrote to memory of 2664 1492 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe 87 PID 1492 wrote to memory of 2664 1492 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\RegCtrl\iexpress.exe"C:\Windows\SysWOW64\RegCtrl\iexpress.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
532KB
MD501564c2faeacef4115a7eb8ba57262c3
SHA17e111947e90eb0cb5efe018ae88ce26b84cdf462
SHA256308d767f5cc0c83e4bdf1d286d6ffdcac5889ee56d4d91fb01908b163ded2b16
SHA51297fc8b98e675f22ed5b307da26761af0ae929d89876d39512cb57b7d6ca3b5c5e903d701d0af69b742bcdf313cdf35436610a051a4c6a50367104df808e4537c