Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 04:11

General

  • Target

    32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe

  • Size

    327KB

  • MD5

    32a6c28727d98c8dc0421f2d30d12c03

  • SHA1

    ba1bb102d38be59de5e6b7c606392041d61dd642

  • SHA256

    127eee06c3e0cc88558614bf9592282e92b0bcdd9c92e72576f5de9fa3c6d2fe

  • SHA512

    24066c1d4f5806323cffbed381ccc0b2a31127f29904b34fcec9114f740d60ea2aaf3ec61d5e781bbab9e0f58c4d75480902a935235c8c868dd241054e4329bc

  • SSDEEP

    6144:Etm2wPZvZsPvTjGauXXZzHC1nHaT7XVOk0fV2MZUD5fnIzoez+wR8s:r2vTqjC1nHI7KfQMZB+wz

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

192.158.216.73:80

85.214.28.226:8080

142.44.137.67:443

162.241.242.173:8080

85.152.162.105:80

62.30.7.67:443

78.24.219.147:8080

74.120.55.163:80

169.239.182.217:8080

216.208.76.186:80

95.213.236.64:8080

200.114.213.233:8080

104.131.44.150:8080

70.121.172.89:80

75.139.38.211:80

185.94.252.104:443

97.82.79.83:80

103.86.49.11:8080

79.98.24.39:8080

83.169.36.251:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\SysWOW64\WSDApi\neth.exe
      "C:\Windows\SysWOW64\WSDApi\neth.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\WSDApi\neth.exe

    Filesize

    327KB

    MD5

    32a6c28727d98c8dc0421f2d30d12c03

    SHA1

    ba1bb102d38be59de5e6b7c606392041d61dd642

    SHA256

    127eee06c3e0cc88558614bf9592282e92b0bcdd9c92e72576f5de9fa3c6d2fe

    SHA512

    24066c1d4f5806323cffbed381ccc0b2a31127f29904b34fcec9114f740d60ea2aaf3ec61d5e781bbab9e0f58c4d75480902a935235c8c868dd241054e4329bc

  • memory/1220-14-0x00000000022B0000-0x00000000022BC000-memory.dmp

    Filesize

    48KB

  • memory/1220-10-0x00000000022A0000-0x00000000022AE000-memory.dmp

    Filesize

    56KB

  • memory/1788-0-0x00000000022B0000-0x00000000022BE000-memory.dmp

    Filesize

    56KB

  • memory/1788-4-0x00000000022C0000-0x00000000022CC000-memory.dmp

    Filesize

    48KB

  • memory/1788-7-0x0000000002290000-0x000000000229B000-memory.dmp

    Filesize

    44KB

  • memory/1788-9-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB