Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 18:35
Static task
static1
Behavioral task
behavioral1
Sample
18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
-
Size
212KB
-
MD5
18d65baea8dfbee9c34c7d9b762b10b7
-
SHA1
e60495220d4000c6caa04be25822b80d4bfc2297
-
SHA256
ca149717d43d2a113c894b33be843a0a0e26c1364c06d933f76c4b062b750f51
-
SHA512
9c48e2b90f7f5318c9738ffa24e63e38d4b3a42c3ebb4c8fcd1ff4234c16419aefbcbdfe78c443047b883d55342009b2e0deb104534957cbed84e31d49bfbfb7
-
SSDEEP
3072:FizbxqLRv2ZCvA1y1t3QoqVePUQGTbgYh/XsLlCP2wc:FOq55o10JQpeJGT8Yh/X8lS2z
Malware Config
Extracted
emotet
Epoch2
12.229.155.122:80
5.88.182.250:80
128.65.154.183:443
59.110.18.236:443
45.56.88.91:443
51.68.220.244:8080
206.81.10.215:8080
211.63.71.72:8080
171.101.153.86:990
95.128.43.213:8080
31.172.240.91:8080
167.99.105.223:7080
24.45.193.161:7080
104.131.11.150:8080
167.71.10.37:8080
104.131.44.150:8080
190.108.228.48:990
195.244.215.206:80
192.241.220.155:8080
209.97.168.52:8080
197.254.221.174:80
37.157.194.134:443
212.129.24.79:8080
200.71.148.138:8080
206.189.112.148:8080
169.239.182.217:8080
167.114.242.226:8080
181.31.213.158:8080
181.143.194.138:443
80.11.163.139:21
120.150.246.241:80
183.102.238.69:465
159.65.25.128:8080
62.75.187.192:8080
178.210.51.222:8080
178.209.71.63:8080
138.201.140.110:8080
186.75.241.230:80
190.226.44.20:21
190.53.135.159:21
217.160.182.191:8080
165.227.156.155:443
104.236.246.93:8080
31.31.77.83:443
192.241.255.77:8080
85.104.59.244:20
182.176.132.213:8090
5.196.74.210:8080
144.139.247.220:80
50.116.86.205:8080
59.103.164.174:80
165.228.24.197:80
67.225.179.64:8080
201.184.105.242:443
91.205.215.66:8080
92.222.216.44:8080
103.39.131.88:80
190.147.215.53:22
116.48.142.21:443
87.230.19.21:8080
46.105.131.87:80
190.211.207.11:443
87.106.136.232:8080
149.202.153.252:8080
83.136.245.190:8080
91.73.197.90:80
45.33.49.124:443
191.92.209.110:7080
107.170.24.125:8080
31.12.67.62:7080
189.209.217.49:80
192.81.213.192:8080
164.68.101.171:80
173.212.203.26:8080
94.192.228.255:80
78.24.219.147:8080
190.145.67.134:8090
65.23.154.17:8080
181.57.193.14:80
176.31.200.130:8080
87.106.139.101:8080
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
netshmore.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat netshmore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
netshmore.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" netshmore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" netshmore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 netshmore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad netshmore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionTime = 0025d1181b9fda01 netshmore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecision = "0" netshmore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionReason = "1" netshmore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" netshmore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadNetworkName = "Network 3" netshmore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61 netshmore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionTime = 0025d1181b9fda01 netshmore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43} netshmore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 netshmore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionReason = "1" netshmore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\d6-8e-05-c7-1d-61 netshmore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections netshmore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 netshmore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix netshmore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings netshmore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecision = "0" netshmore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings netshmore.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
netshmore.exepid process 2724 netshmore.exe 2724 netshmore.exe 2724 netshmore.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exepid process 2384 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exenetshmore.exenetshmore.exepid process 1688 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe 2384 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe 2560 netshmore.exe 2724 netshmore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exenetshmore.exedescription pid process target process PID 1688 wrote to memory of 2384 1688 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe PID 1688 wrote to memory of 2384 1688 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe PID 1688 wrote to memory of 2384 1688 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe PID 1688 wrote to memory of 2384 1688 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe PID 2560 wrote to memory of 2724 2560 netshmore.exe netshmore.exe PID 2560 wrote to memory of 2724 2560 netshmore.exe netshmore.exe PID 2560 wrote to memory of 2724 2560 netshmore.exe netshmore.exe PID 2560 wrote to memory of 2724 2560 netshmore.exe netshmore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe--2d07009e2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netshmore.exe"C:\Windows\SysWOW64\netshmore.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netshmore.exe--9b4f745d2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-0-0x0000000000350000-0x0000000000367000-memory.dmpFilesize
92KB
-
memory/1688-5-0x0000000000320000-0x0000000000331000-memory.dmpFilesize
68KB
-
memory/2384-6-0x0000000000300000-0x0000000000317000-memory.dmpFilesize
92KB
-
memory/2384-16-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2560-11-0x00000000003E0000-0x00000000003F7000-memory.dmpFilesize
92KB
-
memory/2724-17-0x0000000000920000-0x0000000000937000-memory.dmpFilesize
92KB