Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-05-2024 18:15
General
-
Target
3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe
-
Size
109KB
-
MD5
3066d1b2e84e8444082d70a1ad90c017
-
SHA1
3bd522bd7256095774f78ba98ea0f4085651b88a
-
SHA256
61ffe36301e722b85088cfceb5d5a703e57eff907119ef305dc92da45c254aaf
-
SHA512
84c61d702d184538cbdac5d99ae18cc9abd6aef456db3133fb1a694aca2947683f098d6601964c633c274358b9b510761e6afee8adfaea03e23609cd654a8fc9
-
SSDEEP
3072:OCrRG9LEWHyMp6awrpEoNLna7EP7S5p1gRk:OCrs0JaYvnDPgg2
Score
10/10
Malware Config
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe--57754af62⤵
- Suspicious behavior: RenamesItself
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:81⤵
-
C:\Windows\SysWOW64\bearsribbon.exe"C:\Windows\SysWOW64\bearsribbon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bearsribbon.exe--f72f590b2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1500-6-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1500-7-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3540-11-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3540-12-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3540-15-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4424-0-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/4424-3-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4424-2-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/5068-4-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5068-10-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB