Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 10:10
Static task
static1
Behavioral task
behavioral1
Sample
1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe
-
Size
308KB
-
MD5
1044a6626463af1d8af09fac671edbe0
-
SHA1
bd3507ead8e4467a888df792284c7b5dc6995771
-
SHA256
fc9c6c02d63ade7e7d385ac7d5aad02b1b3a023e1ad84af1cf1eaae563b00054
-
SHA512
fba8d60e66535ce736c1e58888236690af532a2f8e14ec3184855a470d3b2d66b5648950e22cefd8440784f2a7fc62ce9944ff14d141e1d3529caea48b27dbc1
-
SSDEEP
6144:lqfI2dK4las/gMXzGnZq/Tnbh7/qyPowsaWWiA:lqfIJ4lxgMXyUYsHoWX
Malware Config
Extracted
emotet
Epoch1
65.36.62.20:80
209.126.6.222:8080
5.153.250.14:8080
204.225.249.100:7080
77.90.136.129:8080
185.94.252.27:443
85.105.140.135:443
83.169.21.32:7080
190.190.148.27:8080
185.94.252.12:80
116.125.120.88:443
190.115.18.139:8080
61.92.159.208:8080
24.148.98.177:80
212.93.117.170:80
91.219.169.180:80
73.116.193.136:80
87.106.46.107:8080
187.162.248.237:80
70.32.115.157:8080
188.135.15.49:80
149.62.173.247:8080
190.6.193.152:8080
81.129.198.57:80
190.128.173.10:80
172.104.169.32:8080
68.183.190.199:8080
89.32.150.160:8080
95.9.180.128:80
178.79.163.131:8080
213.60.96.117:80
94.206.45.18:80
217.199.160.224:7080
73.213.208.163:80
143.0.87.101:80
104.131.103.37:8080
5.196.35.138:7080
202.4.57.96:80
77.55.211.77:8080
188.2.217.94:80
51.255.165.160:8080
46.28.111.142:7080
111.67.12.221:8080
177.73.0.98:443
94.176.234.118:443
45.33.77.42:8080
177.74.228.34:80
192.241.143.52:8080
181.129.96.162:8080
190.163.31.26:80
58.171.153.81:80
174.100.27.229:80
190.147.137.153:443
82.163.245.38:80
45.161.242.102:80
91.222.77.105:80
137.74.106.111:7080
209.236.123.42:8080
177.72.13.80:80
70.32.84.74:8080
191.182.6.118:80
212.71.237.140:8080
82.76.111.249:443
189.2.177.210:443
219.92.13.25:80
51.159.23.217:443
24.135.198.218:80
186.103.141.250:443
178.250.54.208:8080
95.85.151.205:80
192.241.146.84:8080
213.176.36.147:8080
50.28.51.143:8080
185.33.0.233:80
114.109.179.60:80
67.247.242.247:80
104.131.41.185:8080
80.249.176.206:80
190.195.129.227:8090
191.99.160.58:80
45.173.88.33:80
2.47.112.152:80
186.70.127.199:8090
207.144.103.227:80
72.47.248.48:7080
82.196.15.205:8080
24.135.1.177:80
201.171.150.41:443
152.169.22.67:80
170.81.48.2:80
68.183.170.114:8080
217.13.106.14:8080
186.250.52.226:8080
12.162.84.2:8080
Signatures
-
resource yara_rule behavioral2/memory/3624-0-0x0000000000540000-0x000000000054C000-memory.dmp emotet behavioral2/memory/3624-4-0x0000000000530000-0x0000000000539000-memory.dmp emotet behavioral2/memory/2932-7-0x0000000000620000-0x000000000062C000-memory.dmp emotet behavioral2/memory/2932-11-0x0000000000620000-0x000000000062C000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
pid Process 2932 mfc100cht.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rdpcore\mfc100cht.exe 1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe 2932 mfc100cht.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3624 1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3624 1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe 3624 1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe 2932 mfc100cht.exe 2932 mfc100cht.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3624 wrote to memory of 2932 3624 1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe 82 PID 3624 wrote to memory of 2932 3624 1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe 82 PID 3624 wrote to memory of 2932 3624 1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1044a6626463af1d8af09fac671edbe0_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\rdpcore\mfc100cht.exe"C:\Windows\SysWOW64\rdpcore\mfc100cht.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD51044a6626463af1d8af09fac671edbe0
SHA1bd3507ead8e4467a888df792284c7b5dc6995771
SHA256fc9c6c02d63ade7e7d385ac7d5aad02b1b3a023e1ad84af1cf1eaae563b00054
SHA512fba8d60e66535ce736c1e58888236690af532a2f8e14ec3184855a470d3b2d66b5648950e22cefd8440784f2a7fc62ce9944ff14d141e1d3529caea48b27dbc1