Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
11e1c95169d816758338917f92b7464d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
11e1c95169d816758338917f92b7464d_JaffaCakes118.exe
-
Size
264KB
-
MD5
11e1c95169d816758338917f92b7464d
-
SHA1
26f1b14a177efe540a7168c471b05b4f03f3ae2d
-
SHA256
840da21273894b4b54d87929cb3212f721b92ba8873926d63e89efcf60fbb9ee
-
SHA512
86ba1ad2d6b64dc443b96dd2b83bf7d8a3f58a022c13386bf8fadb093aa49a5c39e090f3b1701c5fdd15709f26c060dd5e1d87bbdabb2dc4fb1990e18df22542
-
SSDEEP
6144:z2Rkl3sTsZzaJsxZqBU9PTyXpuXc5SkY2Bkp3:z2Kl8TsZ2sqWhy149xp
Malware Config
Extracted
emotet
Epoch2
74.219.172.26:80
134.209.36.254:8080
104.156.59.7:8080
120.138.30.150:8080
194.187.133.160:443
104.236.246.93:8080
74.208.45.104:8080
78.187.156.31:80
187.161.206.24:80
94.23.216.33:80
172.91.208.86:80
91.211.88.52:7080
50.91.114.38:80
200.123.150.89:443
121.124.124.40:7080
62.75.141.82:80
5.196.74.210:8080
24.137.76.62:80
85.105.205.77:8080
139.130.242.43:80
82.225.49.121:80
110.145.77.103:80
195.251.213.56:80
46.105.131.79:8080
87.106.136.232:8080
75.139.38.211:80
124.41.215.226:80
203.153.216.189:7080
162.241.242.173:8080
219.74.18.66:443
174.45.13.118:80
68.188.112.97:80
200.114.213.233:8080
213.196.135.145:80
61.92.17.12:80
61.19.246.238:443
219.75.128.166:80
120.150.60.189:80
123.176.25.234:80
1.221.254.82:80
137.119.36.33:80
94.23.237.171:443
74.120.55.163:80
62.30.7.67:443
104.131.11.150:443
139.59.67.118:443
209.141.54.221:8080
79.137.83.50:443
84.39.182.7:80
97.82.79.83:80
87.106.139.101:8080
94.1.108.190:443
37.187.72.193:8080
139.162.108.71:8080
93.147.212.206:80
74.134.41.124:80
103.86.49.11:8080
75.80.124.4:80
109.74.5.95:8080
153.232.188.106:80
168.235.67.138:7080
50.35.17.13:80
42.200.107.142:80
82.80.155.43:80
78.24.219.147:8080
24.43.99.75:80
107.5.122.110:80
156.155.166.221:80
83.169.36.251:8080
47.144.21.12:443
79.98.24.39:8080
181.169.34.190:80
139.59.60.244:8080
85.152.162.105:80
185.94.252.104:443
110.5.16.198:80
174.102.48.180:443
140.186.212.146:80
95.179.229.244:8080
104.32.141.43:80
169.239.182.217:8080
121.7.127.163:80
94.200.114.161:80
201.173.217.124:443
104.131.44.150:8080
137.59.187.107:8080
5.39.91.110:7080
203.117.253.142:80
157.245.99.39:8080
176.111.60.55:8080
95.213.236.64:8080
220.245.198.194:80
37.139.21.175:8080
89.216.122.92:80
139.99.158.11:443
24.179.13.119:80
188.219.31.12:80
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1888-0-0x0000000002E90000-0x0000000002EA2000-memory.dmp emotet behavioral2/memory/1888-4-0x0000000000400000-0x0000000000410000-memory.dmp emotet behavioral2/memory/1888-7-0x0000000001380000-0x000000000138F000-memory.dmp emotet behavioral2/memory/436-10-0x00000000013C0000-0x00000000013D2000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
wmiclnt.exepid process 436 wmiclnt.exe -
Drops file in System32 directory 1 IoCs
Processes:
11e1c95169d816758338917f92b7464d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exe 11e1c95169d816758338917f92b7464d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
wmiclnt.exepid process 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe 436 wmiclnt.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
11e1c95169d816758338917f92b7464d_JaffaCakes118.exepid process 1888 11e1c95169d816758338917f92b7464d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
11e1c95169d816758338917f92b7464d_JaffaCakes118.exedescription pid process target process PID 1888 wrote to memory of 436 1888 11e1c95169d816758338917f92b7464d_JaffaCakes118.exe wmiclnt.exe PID 1888 wrote to memory of 436 1888 11e1c95169d816758338917f92b7464d_JaffaCakes118.exe wmiclnt.exe PID 1888 wrote to memory of 436 1888 11e1c95169d816758338917f92b7464d_JaffaCakes118.exe wmiclnt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e1c95169d816758338917f92b7464d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11e1c95169d816758338917f92b7464d_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exe"C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exeFilesize
264KB
MD511e1c95169d816758338917f92b7464d
SHA126f1b14a177efe540a7168c471b05b4f03f3ae2d
SHA256840da21273894b4b54d87929cb3212f721b92ba8873926d63e89efcf60fbb9ee
SHA51286ba1ad2d6b64dc443b96dd2b83bf7d8a3f58a022c13386bf8fadb093aa49a5c39e090f3b1701c5fdd15709f26c060dd5e1d87bbdabb2dc4fb1990e18df22542
-
memory/436-10-0x00000000013C0000-0x00000000013D2000-memory.dmpFilesize
72KB
-
memory/1888-0-0x0000000002E90000-0x0000000002EA2000-memory.dmpFilesize
72KB
-
memory/1888-4-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1888-7-0x0000000001380000-0x000000000138F000-memory.dmpFilesize
60KB
-
memory/1888-9-0x0000000000AA0000-0x0000000000AE6000-memory.dmpFilesize
280KB