Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 11:04
Behavioral task
behavioral1
Sample
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe
-
Size
70KB
-
MD5
3444b2a35b74fb06edead1cffd4d7fd9
-
SHA1
ec4f9fd5e0ff7acd99eef5083a02a8e5bb9b7cf7
-
SHA256
b78dd25ad989de2ae380ac8e42509cd2aa2c4e662e0c8c3fb488a9a20d3c537d
-
SHA512
479c4319499b3aa52f0acec11869b8395a4765ff161ff1310ed3249980f6d2ab58e80bd57a03ed791108f1ab6a88242319c25565c89a9c2b9901a4396dad16ee
-
SSDEEP
1536:EQ14LR8spFrd2kxP9GkYsPHmmXZxhDVSQo/l7xmGzFBnO2i8sVJTcWT:j+8sLd2kJ9GSZjhSz/l7cGhE2iJ37
Malware Config
Extracted
emotet
Epoch2
179.12.170.88:8080
182.76.6.2:8080
201.250.11.236:50000
86.98.25.30:53
190.226.44.20:21
198.199.88.162:8080
178.62.37.188:443
92.51.129.249:4143
92.222.125.16:7080
142.44.162.209:8080
92.222.216.44:8080
138.201.140.110:8080
64.13.225.150:8080
186.4.194.153:993
182.176.132.213:8090
37.157.194.134:443
206.189.98.125:8080
45.123.3.54:443
45.33.49.124:443
178.79.161.166:443
104.131.11.150:8080
173.212.203.26:8080
186.4.172.5:8080
88.156.97.210:80
190.145.67.134:8090
144.139.247.220:80
159.65.25.128:8080
103.97.95.218:143
186.4.172.5:443
87.106.136.232:8080
189.209.217.49:80
149.202.153.252:8080
78.24.219.147:8080
125.99.106.226:80
95.128.43.213:8080
47.41.213.2:22
37.208.39.59:7080
185.94.252.13:443
212.71.234.16:8080
87.106.139.101:8080
188.166.253.46:8080
175.100.138.82:22
85.104.59.244:20
62.75.187.192:8080
91.205.215.66:8080
136.243.177.26:8080
190.186.203.55:80
162.243.125.212:8080
91.83.93.103:7080
217.160.182.191:8080
94.205.247.10:80
211.63.71.72:8080
41.220.119.246:80
104.236.246.93:8080
117.197.124.36:443
75.127.14.170:8080
31.12.67.62:7080
169.239.182.217:8080
179.32.19.219:22
177.246.193.139:20
31.172.240.91:8080
152.169.236.172:80
201.212.57.109:80
222.214.218.192:8080
87.230.19.21:8080
190.53.135.159:21
46.105.131.87:80
182.176.106.43:995
Signatures
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 86.98.25.30 -
Drops file in System32 directory 4 IoCs
Processes:
mailreadand.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mailreadand.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mailreadand.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mailreadand.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mailreadand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
mailreadand.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mailreadand.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mailreadand.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mailreadand.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
mailreadand.exepid process 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe 3208 mailreadand.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exepid process 2960 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exemailreadand.exedescription pid process target process PID 4480 wrote to memory of 2960 4480 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe PID 4480 wrote to memory of 2960 4480 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe PID 4480 wrote to memory of 2960 4480 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe 3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe PID 3596 wrote to memory of 3208 3596 mailreadand.exe mailreadand.exe PID 3596 wrote to memory of 3208 3596 mailreadand.exe mailreadand.exe PID 3596 wrote to memory of 3208 3596 mailreadand.exe mailreadand.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\3444b2a35b74fb06edead1cffd4d7fd9_JaffaCakes118.exe--98dd4e582⤵
- Suspicious behavior: RenamesItself
PID:2960
-
C:\Windows\SysWOW64\mailreadand.exe"C:\Windows\SysWOW64\mailreadand.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\mailreadand.exe--6d2070202⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3208