Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 11:04
Behavioral task
behavioral1
Sample
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe
-
Size
70KB
-
MD5
3444b2a35b74fb06edead1cffd4d7fd9
-
SHA1
ec4f9fd5e0ff7acd99eef5083a02a8e5bb9b7cf7
-
SHA256
b78dd25ad989de2ae380ac8e42509cd2aa2c4e662e0c8c3fb488a9a20d3c537d
-
SHA512
479c4319499b3aa52f0acec11869b8395a4765ff161ff1310ed3249980f6d2ab58e80bd57a03ed791108f1ab6a88242319c25565c89a9c2b9901a4396dad16ee
-
SSDEEP
1536:EQ14LR8spFrd2kxP9GkYsPHmmXZxhDVSQo/l7xmGzFBnO2i8sVJTcWT:j+8sLd2kJ9GSZjhSz/l7cGhE2iJ37
Malware Config
Extracted
emotet
Epoch2
179.12.170.88:8080
182.76.6.2:8080
201.250.11.236:50000
86.98.25.30:53
190.226.44.20:21
198.199.88.162:8080
178.62.37.188:443
92.51.129.249:4143
92.222.125.16:7080
142.44.162.209:8080
92.222.216.44:8080
138.201.140.110:8080
64.13.225.150:8080
186.4.194.153:993
182.176.132.213:8090
37.157.194.134:443
206.189.98.125:8080
45.123.3.54:443
45.33.49.124:443
178.79.161.166:443
104.131.11.150:8080
173.212.203.26:8080
186.4.172.5:8080
88.156.97.210:80
190.145.67.134:8090
144.139.247.220:80
159.65.25.128:8080
103.97.95.218:143
186.4.172.5:443
87.106.136.232:8080
189.209.217.49:80
149.202.153.252:8080
78.24.219.147:8080
125.99.106.226:80
95.128.43.213:8080
47.41.213.2:22
37.208.39.59:7080
185.94.252.13:443
212.71.234.16:8080
87.106.139.101:8080
188.166.253.46:8080
175.100.138.82:22
85.104.59.244:20
62.75.187.192:8080
91.205.215.66:8080
136.243.177.26:8080
190.186.203.55:80
162.243.125.212:8080
91.83.93.103:7080
217.160.182.191:8080
94.205.247.10:80
211.63.71.72:8080
41.220.119.246:80
104.236.246.93:8080
117.197.124.36:443
75.127.14.170:8080
31.12.67.62:7080
169.239.182.217:8080
179.32.19.219:22
177.246.193.139:20
31.172.240.91:8080
152.169.236.172:80
201.212.57.109:80
222.214.218.192:8080
87.230.19.21:8080
190.53.135.159:21
46.105.131.87:80
182.176.106.43:995
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
intellayer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat intellayer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
intellayer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31 intellayer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" intellayer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 intellayer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings intellayer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecision = "0" intellayer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadNetworkName = "Network 3" intellayer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\fe-a3-50-a3-bf-31 intellayer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionTime = 80e8d10793a3da01 intellayer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings intellayer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 intellayer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionReason = "1" intellayer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionTime = 80e8d10793a3da01 intellayer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 intellayer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87} intellayer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" intellayer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" intellayer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad intellayer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionReason = "1" intellayer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecision = "0" intellayer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections intellayer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix intellayer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
intellayer.exepid process 2080 intellayer.exe 2080 intellayer.exe 2080 intellayer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exepid process 2100 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exeintellayer.exedescription pid process target process PID 2868 wrote to memory of 2100 2868 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe PID 2868 wrote to memory of 2100 2868 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe PID 2868 wrote to memory of 2100 2868 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe PID 2868 wrote to memory of 2100 2868 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe PID 2940 wrote to memory of 2080 2940 intellayer.exe intellayer.exe PID 2940 wrote to memory of 2080 2940 intellayer.exe intellayer.exe PID 2940 wrote to memory of 2080 2940 intellayer.exe intellayer.exe PID 2940 wrote to memory of 2080 2940 intellayer.exe intellayer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe--98dd4e582⤵
- Suspicious behavior: RenamesItself
PID:2100
-
C:\Windows\SysWOW64\intellayer.exe"C:\Windows\SysWOW64\intellayer.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\intellayer.exe--e9d8146d2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2080