Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 18:11

General

  • Target

    3062a26e27196137496909cd884b9adb_JaffaCakes118.exe

  • Size

    188KB

  • MD5

    3062a26e27196137496909cd884b9adb

  • SHA1

    9ca8bdafcfd6e5e6204125119b675cc855ff00c8

  • SHA256

    1bd02412be82153e7175f092d645cb0957a796d1cf786efc9268337374cc5d63

  • SHA512

    ffbe013201f10eaceff35123c7ab973b934b4bfa04a02153abd6da88aecd6d86969d59f8bef353580dda151eebb5be4635f97ca482f6efef3b2e24d65b3d8a04

  • SSDEEP

    3072:h7pI7kZNb+M4zcDufZ28zDLYGL1BBRpzkaagwqUnIauUu/e:h7dfb+M8R28HLYGxRpzkw1Un9u/e

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

192.241.255.77:8080

74.208.125.192:443

165.227.156.155:443

104.239.175.211:8080

5.196.74.210:8080

144.139.247.220:80

206.189.98.125:8080

85.104.59.244:20

182.176.132.213:8090

37.187.2.199:443

171.101.153.86:990

190.226.44.20:21

192.81.213.192:8080

31.12.67.62:7080

95.128.43.213:8080

186.75.241.230:80

104.131.11.150:8080

46.105.131.87:80

152.89.236.214:8080

91.205.215.66:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\3062a26e27196137496909cd884b9adb_JaffaCakes118.exe
      --984b98f7
      2⤵
      • Suspicious behavior: RenamesItself
      PID:4328
  • C:\Windows\SysWOW64\hexaceip.exe
    "C:\Windows\SysWOW64\hexaceip.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\hexaceip.exe
      --af40d881
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a831e7ae1e5995dca038e7f9d356b60a_215f2dba-ef84-4dd1-b127-5f514a0c233b

    Filesize

    50B

    MD5

    f6219e219e71470cde16d0483a8d248c

    SHA1

    fe4df7338b6252c516d72d2889b71331a75e9150

    SHA256

    83e2a322cc5b9d93b9fdd0bcd356ee6be52313b2198db91dd5d99f4703ad9f7e

    SHA512

    57efbf4b5e6ed8469ae811c9179c14f6431dd07c1e956e1eecfb577efa7970e95f03e69a9443da82b113b4eae879c6bdf5a109dfaa11613ca6eea1cbd21e35d3

  • memory/2996-0-0x00000000001D0000-0x00000000001E3000-memory.dmp

    Filesize

    76KB

  • memory/2996-6-0x00000000001C0000-0x00000000001CE000-memory.dmp

    Filesize

    56KB

  • memory/2996-5-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3536-13-0x00000000006D0000-0x00000000006E3000-memory.dmp

    Filesize

    76KB

  • memory/3536-18-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/4328-7-0x00000000001C0000-0x00000000001D3000-memory.dmp

    Filesize

    76KB

  • memory/4328-19-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/4848-21-0x00000000007B0000-0x00000000007C3000-memory.dmp

    Filesize

    76KB

  • memory/4848-26-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB