Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe
-
Size
327KB
-
MD5
32a6c28727d98c8dc0421f2d30d12c03
-
SHA1
ba1bb102d38be59de5e6b7c606392041d61dd642
-
SHA256
127eee06c3e0cc88558614bf9592282e92b0bcdd9c92e72576f5de9fa3c6d2fe
-
SHA512
24066c1d4f5806323cffbed381ccc0b2a31127f29904b34fcec9114f740d60ea2aaf3ec61d5e781bbab9e0f58c4d75480902a935235c8c868dd241054e4329bc
-
SSDEEP
6144:Etm2wPZvZsPvTjGauXXZzHC1nHaT7XVOk0fV2MZUD5fnIzoez+wR8s:r2vTqjC1nHI7KfQMZB+wz
Malware Config
Extracted
emotet
Epoch2
192.158.216.73:80
85.214.28.226:8080
142.44.137.67:443
162.241.242.173:8080
85.152.162.105:80
62.30.7.67:443
78.24.219.147:8080
74.120.55.163:80
169.239.182.217:8080
216.208.76.186:80
95.213.236.64:8080
200.114.213.233:8080
104.131.44.150:8080
70.121.172.89:80
75.139.38.211:80
185.94.252.104:443
97.82.79.83:80
103.86.49.11:8080
79.98.24.39:8080
83.169.36.251:8080
188.219.31.12:80
74.208.45.104:8080
137.59.187.107:8080
174.45.13.118:80
194.187.133.160:443
50.81.3.113:80
201.173.217.124:443
139.99.158.11:443
68.188.112.97:80
113.160.130.116:8443
173.62.217.22:443
139.130.242.43:80
190.160.53.126:80
137.119.36.33:80
209.141.54.221:8080
24.179.13.119:80
120.150.60.189:80
107.5.122.110:80
121.124.124.40:7080
203.153.216.189:7080
157.245.99.39:8080
85.105.205.77:8080
173.81.218.65:80
110.145.77.103:80
47.144.21.12:443
95.179.229.244:8080
187.161.206.24:80
46.105.131.79:8080
189.212.199.126:443
168.235.67.138:7080
24.137.76.62:80
85.66.181.138:80
200.41.121.90:80
5.39.91.110:7080
104.236.246.93:8080
172.91.208.86:80
99.224.14.125:80
37.139.21.175:8080
109.74.5.95:8080
1.221.254.82:80
61.19.246.238:443
5.196.74.210:8080
67.205.85.243:8080
79.137.83.50:443
94.200.114.161:80
70.180.43.7:80
190.55.181.54:443
47.146.117.214:80
89.205.113.80:80
37.187.72.193:8080
84.39.182.7:80
104.131.11.150:443
139.162.108.71:8080
87.106.136.232:8080
153.232.188.106:80
37.70.8.161:80
112.185.64.233:80
87.106.139.101:8080
94.23.237.171:443
24.43.99.75:80
203.117.253.142:80
98.109.204.230:80
93.147.212.206:80
91.211.88.52:7080
139.59.60.244:8080
176.111.60.55:8080
180.92.239.110:8080
62.75.141.82:80
174.102.48.180:443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
neth.exepid process 1220 neth.exe -
Drops file in System32 directory 1 IoCs
Processes:
32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WSDApi\neth.exe 32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
neth.exepid process 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe 1220 neth.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exepid process 1788 32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exeneth.exepid process 1788 32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe 1788 32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe 1220 neth.exe 1220 neth.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exedescription pid process target process PID 1788 wrote to memory of 1220 1788 32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe neth.exe PID 1788 wrote to memory of 1220 1788 32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe neth.exe PID 1788 wrote to memory of 1220 1788 32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe neth.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\32a6c28727d98c8dc0421f2d30d12c03_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\WSDApi\neth.exe"C:\Windows\SysWOW64\WSDApi\neth.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD532a6c28727d98c8dc0421f2d30d12c03
SHA1ba1bb102d38be59de5e6b7c606392041d61dd642
SHA256127eee06c3e0cc88558614bf9592282e92b0bcdd9c92e72576f5de9fa3c6d2fe
SHA51224066c1d4f5806323cffbed381ccc0b2a31127f29904b34fcec9114f740d60ea2aaf3ec61d5e781bbab9e0f58c4d75480902a935235c8c868dd241054e4329bc