Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 23:24

General

  • Target

    273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe

  • Size

    144KB

  • MD5

    273291567a770579ce3dc6917e1b4402

  • SHA1

    46a9e2139d2021b2ca68c84fe53a7f798f9b0bc7

  • SHA256

    a12e6a57bafb85c0d8eeb15d71697b09be4a0222ed897fc05b573d57a2593ac2

  • SHA512

    1b966a4ca2103656e1a736ec0629f90364c68f66b3b13b0ff04f7b5ea8d3026c5fe3106113b8ad638335771d019ccc690d420b23a23bc867a86f9d808870e31b

  • SSDEEP

    3072:MJiOVZaic4INE9+j8ocr2i+hF3ijB4QMr3:MJtVZ1cJGIj8YMB4F

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:2160
  • C:\Windows\SysWOW64\zipbased.exe
    "C:\Windows\SysWOW64\zipbased.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\zipbased.exe
      "C:\Windows\SysWOW64\zipbased.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1868-0-0x00000000001A0000-0x00000000001BA000-memory.dmp

          Filesize

          104KB

        • memory/1868-9-0x00000000001C0000-0x00000000001D8000-memory.dmp

          Filesize

          96KB

        • memory/1868-8-0x0000000000160000-0x000000000017A000-memory.dmp

          Filesize

          104KB

        • memory/2160-4-0x0000000000190000-0x00000000001AA000-memory.dmp

          Filesize

          104KB

        • memory/2160-11-0x00000000001B0000-0x00000000001C8000-memory.dmp

          Filesize

          96KB

        • memory/2160-10-0x0000000000170000-0x000000000018A000-memory.dmp

          Filesize

          104KB

        • memory/2160-24-0x0000000000170000-0x000000000018A000-memory.dmp

          Filesize

          104KB

        • memory/2160-23-0x0000000000D40000-0x0000000000D65000-memory.dmp

          Filesize

          148KB

        • memory/2632-16-0x0000000000170000-0x000000000018A000-memory.dmp

          Filesize

          104KB

        • memory/2696-21-0x00000000001B0000-0x00000000001CA000-memory.dmp

          Filesize

          104KB

        • memory/2696-22-0x00000000002A0000-0x00000000002B8000-memory.dmp

          Filesize

          96KB

        • memory/2696-17-0x00000000001D0000-0x00000000001EA000-memory.dmp

          Filesize

          104KB

        • memory/2696-25-0x00000000001B0000-0x00000000001CA000-memory.dmp

          Filesize

          104KB