Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe
-
Size
72KB
-
MD5
0faa84229bf79a4352164168fc0a7bbf
-
SHA1
e340ff185628ceafc9ff5eef67c50fd0b989f520
-
SHA256
35c6a0be14c8174a5a411aed7efa51b6db2490b0b47e32cc765f0b6088508803
-
SHA512
acd76874ab694c89cc09874a1c2abdc79f3a963e003c7df126ae8f7a8f95e5f17e04ea52d12728f5aa43c3feb44b04104ec4e7c00502ce4b2616db0020f17fce
-
SSDEEP
1536:GAOKQywB8X2OSmSGQqR6XYj0G6pzboBlpAvaLO:GZKyBE2OSCQlG6pAlAaa
Malware Config
Extracted
emotet
Epoch1
185.215.227.107:443
51.38.124.206:80
38.88.126.202:8080
54.37.42.48:8080
172.104.169.32:8080
68.183.190.199:8080
187.162.248.237:80
82.76.111.249:443
184.66.18.83:80
190.6.193.152:8080
77.238.212.227:80
199.203.62.165:80
188.2.217.94:80
185.94.252.12:80
178.250.54.208:8080
206.15.68.237:443
65.36.62.20:80
216.47.196.104:80
219.92.8.17:8080
213.60.96.117:80
77.55.211.77:8080
72.167.223.217:8080
177.74.228.34:80
186.103.141.250:443
190.163.31.26:80
85.109.159.61:443
68.183.170.114:8080
213.197.182.158:8080
45.161.242.102:80
71.197.211.156:80
104.131.103.37:8080
94.176.234.118:443
190.2.31.172:80
5.196.35.138:7080
190.195.129.227:8090
67.247.242.247:80
64.201.88.132:80
152.169.22.67:80
24.135.1.177:80
191.182.6.118:80
51.159.23.217:443
110.142.219.51:80
68.69.155.181:80
82.196.15.205:8080
77.90.136.129:8080
181.129.96.162:8080
45.33.77.42:8080
95.9.180.128:80
192.241.146.84:8080
91.219.169.180:80
188.135.15.49:80
212.71.237.140:8080
98.13.75.196:80
72.47.248.48:7080
209.236.123.42:8080
217.13.106.14:8080
219.92.13.25:80
177.72.13.80:80
12.162.84.2:8080
177.73.0.98:443
50.121.220.50:80
185.178.10.77:80
216.10.40.16:80
61.92.159.208:8080
170.81.48.2:80
45.16.226.117:443
185.94.252.27:443
217.199.160.224:7080
178.79.163.131:8080
186.70.127.199:8090
91.121.54.71:8080
190.190.148.27:8080
190.24.243.186:80
138.97.60.141:7080
104.131.41.185:8080
73.213.208.163:80
181.30.61.163:443
103.106.236.83:8080
192.241.143.52:8080
87.106.46.107:8080
2.47.112.152:80
45.173.88.33:80
204.225.249.100:7080
111.67.77.202:8080
70.32.115.157:8080
111.67.12.221:8080
70.32.84.74:8080
58.171.153.81:80
190.147.137.153:443
190.115.18.139:8080
83.169.21.32:7080
5.189.178.202:8080
50.28.51.143:8080
137.74.106.111:7080
189.2.177.210:443
72.135.200.124:80
51.255.165.160:8080
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2936 winrscmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Websocket\winrscmd.exe 0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1576 1776 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe 2936 winrscmd.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1776 0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1776 0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe 1776 0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe 2936 winrscmd.exe 2936 winrscmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2936 1776 0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe 82 PID 1776 wrote to memory of 2936 1776 0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe 82 PID 1776 wrote to memory of 2936 1776 0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0faa84229bf79a4352164168fc0a7bbf_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Websocket\winrscmd.exe"C:\Windows\SysWOW64\Websocket\winrscmd.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 9842⤵
- Program crash
PID:1576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1776 -ip 17761⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD50faa84229bf79a4352164168fc0a7bbf
SHA1e340ff185628ceafc9ff5eef67c50fd0b989f520
SHA25635c6a0be14c8174a5a411aed7efa51b6db2490b0b47e32cc765f0b6088508803
SHA512acd76874ab694c89cc09874a1c2abdc79f3a963e003c7df126ae8f7a8f95e5f17e04ea52d12728f5aa43c3feb44b04104ec4e7c00502ce4b2616db0020f17fce