Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
-
Size
188KB
-
MD5
3062a26e27196137496909cd884b9adb
-
SHA1
9ca8bdafcfd6e5e6204125119b675cc855ff00c8
-
SHA256
1bd02412be82153e7175f092d645cb0957a796d1cf786efc9268337374cc5d63
-
SHA512
ffbe013201f10eaceff35123c7ab973b934b4bfa04a02153abd6da88aecd6d86969d59f8bef353580dda151eebb5be4635f97ca482f6efef3b2e24d65b3d8a04
-
SSDEEP
3072:h7pI7kZNb+M4zcDufZ28zDLYGL1BBRpzkaagwqUnIauUu/e:h7dfb+M8R28HLYGxRpzkw1Un9u/e
Malware Config
Extracted
emotet
Epoch2
192.241.255.77:8080
74.208.125.192:443
165.227.156.155:443
104.239.175.211:8080
5.196.74.210:8080
144.139.247.220:80
206.189.98.125:8080
85.104.59.244:20
182.176.132.213:8090
37.187.2.199:443
171.101.153.86:990
190.226.44.20:21
192.81.213.192:8080
31.12.67.62:7080
95.128.43.213:8080
186.75.241.230:80
104.131.11.150:8080
46.105.131.87:80
152.89.236.214:8080
91.205.215.66:8080
217.160.182.191:8080
87.106.139.101:8080
104.131.44.150:8080
179.12.170.148:8080
212.71.234.16:8080
192.241.220.155:8080
178.210.51.222:8080
173.212.203.26:8080
94.205.247.10:80
103.39.131.88:80
183.102.238.69:465
212.129.24.79:8080
87.106.136.232:8080
59.103.164.174:80
37.157.194.134:443
167.71.10.37:8080
181.57.193.14:80
80.11.163.139:21
181.143.194.138:443
92.222.216.44:8080
169.239.182.217:8080
190.53.135.159:21
115.78.95.230:443
94.177.216.217:8080
45.33.49.124:443
31.172.240.91:8080
78.24.219.147:8080
190.211.207.11:443
136.243.177.26:8080
67.225.179.64:8080
62.75.187.192:8080
190.145.67.134:8090
86.22.221.170:80
200.71.148.138:8080
181.31.213.158:8080
186.4.172.5:443
149.202.153.252:8080
189.209.217.49:80
83.136.245.190:8080
211.63.71.72:8080
173.249.47.77:8080
138.201.140.110:8080
104.236.246.93:8080
159.65.25.128:8080
186.4.172.5:8080
87.230.19.21:8080
178.79.161.166:443
186.4.172.5:20
191.92.209.110:7080
176.31.200.130:8080
167.99.105.223:7080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
hexaceip.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 hexaceip.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 hexaceip.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE hexaceip.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies hexaceip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
hexaceip.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" hexaceip.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix hexaceip.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" hexaceip.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
hexaceip.exepid process 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe 4848 hexaceip.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3062a26e27196137496909cd884b9adb_JaffaCakes118.exepid process 4328 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3062a26e27196137496909cd884b9adb_JaffaCakes118.exehexaceip.exedescription pid process target process PID 2996 wrote to memory of 4328 2996 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe PID 2996 wrote to memory of 4328 2996 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe PID 2996 wrote to memory of 4328 2996 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe 3062a26e27196137496909cd884b9adb_JaffaCakes118.exe PID 3536 wrote to memory of 4848 3536 hexaceip.exe hexaceip.exe PID 3536 wrote to memory of 4848 3536 hexaceip.exe hexaceip.exe PID 3536 wrote to memory of 4848 3536 hexaceip.exe hexaceip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe--984b98f72⤵
- Suspicious behavior: RenamesItself
PID:4328
-
C:\Windows\SysWOW64\hexaceip.exe"C:\Windows\SysWOW64\hexaceip.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\hexaceip.exe--af40d8812⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a831e7ae1e5995dca038e7f9d356b60a_215f2dba-ef84-4dd1-b127-5f514a0c233b
Filesize50B
MD5f6219e219e71470cde16d0483a8d248c
SHA1fe4df7338b6252c516d72d2889b71331a75e9150
SHA25683e2a322cc5b9d93b9fdd0bcd356ee6be52313b2198db91dd5d99f4703ad9f7e
SHA51257efbf4b5e6ed8469ae811c9179c14f6431dd07c1e956e1eecfb577efa7970e95f03e69a9443da82b113b4eae879c6bdf5a109dfaa11613ca6eea1cbd21e35d3