Analysis Overview
SHA256
308d767f5cc0c83e4bdf1d286d6ffdcac5889ee56d4d91fb01908b163ded2b16
Threat Level: Known bad
The file 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Emotet payload
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-26 17:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 17:56
Reported
2024-04-26 17:59
Platform
win7-20240221-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| JP | 49.243.9.118:80 | tcp | |
| JP | 49.243.9.118:80 | tcp | |
| US | 162.241.41.111:7080 | tcp | |
| US | 162.241.41.111:7080 | tcp | |
| CO | 190.85.46.52:7080 | tcp | |
| CO | 190.85.46.52:7080 | tcp | |
| US | 162.144.42.60:8080 | tcp |
Files
memory/1708-7-0x0000000000220000-0x000000000022F000-memory.dmp
memory/1708-4-0x0000000000260000-0x0000000000270000-memory.dmp
memory/1708-0-0x0000000000230000-0x0000000000242000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 17:56
Reported
2024-04-26 17:59
Platform
win10v2004-20240419-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RegCtrl\iexpress.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1492 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe | C:\Windows\SysWOW64\RegCtrl\iexpress.exe |
| PID 1492 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe | C:\Windows\SysWOW64\RegCtrl\iexpress.exe |
| PID 1492 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe | C:\Windows\SysWOW64\RegCtrl\iexpress.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"
C:\Windows\SysWOW64\RegCtrl\iexpress.exe
"C:\Windows\SysWOW64\RegCtrl\iexpress.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| JP | 49.243.9.118:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 162.241.41.111:7080 | tcp | |
| CO | 190.85.46.52:7080 | tcp | |
| US | 162.144.42.60:8080 | tcp | |
| US | 157.245.138.101:7080 | tcp | |
| IN | 103.133.66.57:443 | tcp |
Files
memory/1492-0-0x0000000000660000-0x0000000000672000-memory.dmp
memory/1492-4-0x0000000000680000-0x0000000000690000-memory.dmp
memory/1492-7-0x0000000000640000-0x000000000064F000-memory.dmp
C:\Windows\SysWOW64\RegCtrl\iexpress.exe
| MD5 | 01564c2faeacef4115a7eb8ba57262c3 |
| SHA1 | 7e111947e90eb0cb5efe018ae88ce26b84cdf462 |
| SHA256 | 308d767f5cc0c83e4bdf1d286d6ffdcac5889ee56d4d91fb01908b163ded2b16 |
| SHA512 | 97fc8b98e675f22ed5b307da26761af0ae929d89876d39512cb57b7d6ca3b5c5e903d701d0af69b742bcdf313cdf35436610a051a4c6a50367104df808e4537c |
memory/1492-9-0x0000000000400000-0x0000000000489000-memory.dmp
memory/2664-14-0x00000000022B0000-0x00000000022C0000-memory.dmp
memory/2664-10-0x0000000002290000-0x00000000022A2000-memory.dmp