Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 18:11

General

  • Target

    3062a26e27196137496909cd884b9adb_JaffaCakes118.exe

  • Size

    188KB

  • MD5

    3062a26e27196137496909cd884b9adb

  • SHA1

    9ca8bdafcfd6e5e6204125119b675cc855ff00c8

  • SHA256

    1bd02412be82153e7175f092d645cb0957a796d1cf786efc9268337374cc5d63

  • SHA512

    ffbe013201f10eaceff35123c7ab973b934b4bfa04a02153abd6da88aecd6d86969d59f8bef353580dda151eebb5be4635f97ca482f6efef3b2e24d65b3d8a04

  • SSDEEP

    3072:h7pI7kZNb+M4zcDufZ28zDLYGL1BBRpzkaagwqUnIauUu/e:h7dfb+M8R28HLYGxRpzkw1Un9u/e

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

192.241.255.77:8080

74.208.125.192:443

165.227.156.155:443

104.239.175.211:8080

5.196.74.210:8080

144.139.247.220:80

206.189.98.125:8080

85.104.59.244:20

182.176.132.213:8090

37.187.2.199:443

171.101.153.86:990

190.226.44.20:21

192.81.213.192:8080

31.12.67.62:7080

95.128.43.213:8080

186.75.241.230:80

104.131.11.150:8080

46.105.131.87:80

152.89.236.214:8080

91.205.215.66:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
      --984b98f7
      2⤵
      • Suspicious behavior: RenamesItself
      PID:2816
  • C:\Windows\SysWOW64\coffeeemboss.exe
    "C:\Windows\SysWOW64\coffeeemboss.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\coffeeemboss.exe
      --9e12a0b3
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2536-19-0x0000000000650000-0x0000000000663000-memory.dmp

    Filesize

    76KB

  • memory/2536-24-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2548-12-0x00000000003E0000-0x00000000003F3000-memory.dmp

    Filesize

    76KB

  • memory/2548-17-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2780-0-0x0000000000360000-0x0000000000373000-memory.dmp

    Filesize

    76KB

  • memory/2780-6-0x0000000000340000-0x000000000034E000-memory.dmp

    Filesize

    56KB

  • memory/2780-5-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2816-7-0x00000000003D0000-0x00000000003E3000-memory.dmp

    Filesize

    76KB

  • memory/2816-18-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB