Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
-
Size
188KB
-
MD5
3062a26e27196137496909cd884b9adb
-
SHA1
9ca8bdafcfd6e5e6204125119b675cc855ff00c8
-
SHA256
1bd02412be82153e7175f092d645cb0957a796d1cf786efc9268337374cc5d63
-
SHA512
ffbe013201f10eaceff35123c7ab973b934b4bfa04a02153abd6da88aecd6d86969d59f8bef353580dda151eebb5be4635f97ca482f6efef3b2e24d65b3d8a04
-
SSDEEP
3072:h7pI7kZNb+M4zcDufZ28zDLYGL1BBRpzkaagwqUnIauUu/e:h7dfb+M8R28HLYGxRpzkw1Un9u/e
Malware Config
Extracted
emotet
Epoch2
192.241.255.77:8080
74.208.125.192:443
165.227.156.155:443
104.239.175.211:8080
5.196.74.210:8080
144.139.247.220:80
206.189.98.125:8080
85.104.59.244:20
182.176.132.213:8090
37.187.2.199:443
171.101.153.86:990
190.226.44.20:21
192.81.213.192:8080
31.12.67.62:7080
95.128.43.213:8080
186.75.241.230:80
104.131.11.150:8080
46.105.131.87:80
152.89.236.214:8080
91.205.215.66:8080
217.160.182.191:8080
87.106.139.101:8080
104.131.44.150:8080
179.12.170.148:8080
212.71.234.16:8080
192.241.220.155:8080
178.210.51.222:8080
173.212.203.26:8080
94.205.247.10:80
103.39.131.88:80
183.102.238.69:465
212.129.24.79:8080
87.106.136.232:8080
59.103.164.174:80
37.157.194.134:443
167.71.10.37:8080
181.57.193.14:80
80.11.163.139:21
181.143.194.138:443
92.222.216.44:8080
169.239.182.217:8080
190.53.135.159:21
115.78.95.230:443
94.177.216.217:8080
45.33.49.124:443
31.172.240.91:8080
78.24.219.147:8080
190.211.207.11:443
136.243.177.26:8080
67.225.179.64:8080
62.75.187.192:8080
190.145.67.134:8090
86.22.221.170:80
200.71.148.138:8080
181.31.213.158:8080
186.4.172.5:443
149.202.153.252:8080
189.209.217.49:80
83.136.245.190:8080
211.63.71.72:8080
173.249.47.77:8080
138.201.140.110:8080
104.236.246.93:8080
159.65.25.128:8080
186.4.172.5:8080
87.230.19.21:8080
178.79.161.166:443
186.4.172.5:20
191.92.209.110:7080
176.31.200.130:8080
167.99.105.223:7080
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
coffeeemboss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat coffeeemboss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
coffeeemboss.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0119000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 coffeeemboss.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadDecision = "0" coffeeemboss.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1\WpadDecisionTime = 302bb09c05a3da01 coffeeemboss.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 coffeeemboss.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058} coffeeemboss.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadDecisionTime = 302bb09c05a3da01 coffeeemboss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadNetworkName = "Network 3" coffeeemboss.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings coffeeemboss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections coffeeemboss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" coffeeemboss.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" coffeeemboss.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\52-67-6c-72-4a-e1 coffeeemboss.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1\WpadDecisionReason = "1" coffeeemboss.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1\WpadDecision = "0" coffeeemboss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix coffeeemboss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" coffeeemboss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings coffeeemboss.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1 coffeeemboss.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 coffeeemboss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad coffeeemboss.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadDecisionReason = "1" coffeeemboss.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
coffeeemboss.exepid process 2536 coffeeemboss.exe 2536 coffeeemboss.exe 2536 coffeeemboss.exe 2536 coffeeemboss.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3062a26e27196137496909cd884b9adb_JaffaCakes118.exepid process 2816 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3062a26e27196137496909cd884b9adb_JaffaCakes118.execoffeeemboss.exedescription pid process target process PID 2780 wrote to memory of 2816 2780 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe PID 2780 wrote to memory of 2816 2780 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe PID 2780 wrote to memory of 2816 2780 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe PID 2780 wrote to memory of 2816 2780 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe PID 2548 wrote to memory of 2536 2548 coffeeemboss.exe coffeeemboss.exe PID 2548 wrote to memory of 2536 2548 coffeeemboss.exe coffeeemboss.exe PID 2548 wrote to memory of 2536 2548 coffeeemboss.exe coffeeemboss.exe PID 2548 wrote to memory of 2536 2548 coffeeemboss.exe coffeeemboss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe--984b98f72⤵
- Suspicious behavior: RenamesItself
PID:2816
-
C:\Windows\SysWOW64\coffeeemboss.exe"C:\Windows\SysWOW64\coffeeemboss.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\coffeeemboss.exe--9e12a0b32⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2536