Analysis

  • max time kernel
    137s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 04:26

General

  • Target

    0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe

  • Size

    72KB

  • MD5

    0faa84229bf79a4352164168fc0a7bbf

  • SHA1

    e340ff185628ceafc9ff5eef67c50fd0b989f520

  • SHA256

    35c6a0be14c8174a5a411aed7efa51b6db2490b0b47e32cc765f0b6088508803

  • SHA512

    acd76874ab694c89cc09874a1c2abdc79f3a963e003c7df126ae8f7a8f95e5f17e04ea52d12728f5aa43c3feb44b04104ec4e7c00502ce4b2616db0020f17fce

  • SSDEEP

    1536:GAOKQywB8X2OSmSGQqR6XYj0G6pzboBlpAvaLO:GZKyBE2OSCQlG6pAlAaa

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

185.215.227.107:443

51.38.124.206:80

38.88.126.202:8080

54.37.42.48:8080

172.104.169.32:8080

68.183.190.199:8080

187.162.248.237:80

82.76.111.249:443

184.66.18.83:80

190.6.193.152:8080

77.238.212.227:80

199.203.62.165:80

188.2.217.94:80

185.94.252.12:80

178.250.54.208:8080

206.15.68.237:443

65.36.62.20:80

216.47.196.104:80

219.92.8.17:8080

213.60.96.117:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\Websocket\winrscmd.exe
      "C:\Windows\SysWOW64\Websocket\winrscmd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 984
      2⤵
      • Program crash
      PID:1576
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1776 -ip 1776
    1⤵
      PID:2684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Websocket\winrscmd.exe

      Filesize

      72KB

      MD5

      0faa84229bf79a4352164168fc0a7bbf

      SHA1

      e340ff185628ceafc9ff5eef67c50fd0b989f520

      SHA256

      35c6a0be14c8174a5a411aed7efa51b6db2490b0b47e32cc765f0b6088508803

      SHA512

      acd76874ab694c89cc09874a1c2abdc79f3a963e003c7df126ae8f7a8f95e5f17e04ea52d12728f5aa43c3feb44b04104ec4e7c00502ce4b2616db0020f17fce

    • memory/1776-0-0x0000000002260000-0x000000000226D000-memory.dmp

      Filesize

      52KB

    • memory/1776-4-0x0000000002270000-0x000000000227C000-memory.dmp

      Filesize

      48KB

    • memory/1776-7-0x0000000002250000-0x000000000225B000-memory.dmp

      Filesize

      44KB

    • memory/1776-17-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/2936-13-0x0000000002160000-0x000000000216C000-memory.dmp

      Filesize

      48KB

    • memory/2936-9-0x0000000000670000-0x000000000067D000-memory.dmp

      Filesize

      52KB