Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 22:18

General

  • Target

    26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe

  • Size

    499KB

  • MD5

    26fec1e25a99f0cee5e40a4cac55ea00

  • SHA1

    184569c0e12c327183427c45d18daa8df89bcc33

  • SHA256

    3c8030b45d07bafb36023df5de15f6a02a461f1ed73dbe7eb4e678bad20e718f

  • SHA512

    4a328761596c5f7720ef1397427bb45c7ec22eda176d745ef46b3fd3133e667773a38b6a44e5c29ca669f0a7784818a9aa239a7d11fcc6a73d7e3c6afff4a2f9

  • SSDEEP

    6144:q9xxtqe+fXzVuMCUJN9/hU7d8NAXxOuoORByciYJXI+Oq:Mx7H+fXz6UVhgjBOuoORBylYJ4

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:2236
  • C:\Windows\SysWOW64\horzdynamic.exe
    "C:\Windows\SysWOW64\horzdynamic.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\horzdynamic.exe
      "C:\Windows\SysWOW64\horzdynamic.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2648

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1676-5-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

        • memory/1676-4-0x00000000002A0000-0x00000000002B7000-memory.dmp

          Filesize

          92KB

        • memory/1676-0-0x00000000002A0000-0x00000000002B7000-memory.dmp

          Filesize

          92KB

        • memory/2236-10-0x0000000000660000-0x0000000000677000-memory.dmp

          Filesize

          92KB

        • memory/2236-6-0x0000000000660000-0x0000000000677000-memory.dmp

          Filesize

          92KB

        • memory/2584-11-0x0000000000490000-0x00000000004A7000-memory.dmp

          Filesize

          92KB

        • memory/2584-15-0x0000000000490000-0x00000000004A7000-memory.dmp

          Filesize

          92KB

        • memory/2648-20-0x00000000003E0000-0x00000000003F7000-memory.dmp

          Filesize

          92KB

        • memory/2648-16-0x00000000003E0000-0x00000000003F7000-memory.dmp

          Filesize

          92KB