Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 12:34

General

  • Target

    349c32706cde91863d6b1315cde37130_JaffaCakes118.exe

  • Size

    224KB

  • MD5

    349c32706cde91863d6b1315cde37130

  • SHA1

    096a23cc77e63203cbcd3f7ce1120980cbbe6121

  • SHA256

    48e83788053f0080077b2ad7aa3a534b92b0ff9d6277eb81b7f919a7f6a2d56d

  • SHA512

    7ae24fe2a3b820630db608c680575dff371a00b0ff08a1e21b8d89bc294d58f5d26e9bb70685b0dbf6820e2738dbd29fafda050637970e1e4ed3d89d22ce2e86

  • SSDEEP

    3072:dD1v8rVu99d3eaEeh35MGCJBLP4fnpSWBomdJq2+JC+I81WEQdCnk9/:rC+OfepFCJ1PMpSWSmn5+IMWxFp

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

75.80.124.4:80

134.209.36.254:8080

104.156.59.7:8080

120.138.30.150:8080

107.5.122.110:80

195.251.213.56:80

91.211.88.52:7080

79.98.24.39:8080

75.139.38.211:80

82.225.49.121:80

162.241.242.173:8080

94.1.108.190:443

85.105.205.77:8080

181.169.34.190:80

24.179.13.119:80

139.59.67.118:443

82.80.155.43:80

50.91.114.38:80

93.147.212.206:80

153.232.188.106:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 5 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\349c32706cde91863d6b1315cde37130_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\349c32706cde91863d6b1315cde37130_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\Windows.Devices.Lights\mspbde40.exe
      "C:\Windows\SysWOW64\Windows.Devices.Lights\mspbde40.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1004
      2⤵
      • Program crash
      PID:2076
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1736 -ip 1736
    1⤵
      PID:1236

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Windows.Devices.Lights\mspbde40.exe

      Filesize

      224KB

      MD5

      349c32706cde91863d6b1315cde37130

      SHA1

      096a23cc77e63203cbcd3f7ce1120980cbbe6121

      SHA256

      48e83788053f0080077b2ad7aa3a534b92b0ff9d6277eb81b7f919a7f6a2d56d

      SHA512

      7ae24fe2a3b820630db608c680575dff371a00b0ff08a1e21b8d89bc294d58f5d26e9bb70685b0dbf6820e2738dbd29fafda050637970e1e4ed3d89d22ce2e86

    • memory/1736-4-0x00000000009B0000-0x00000000009C0000-memory.dmp

      Filesize

      64KB

    • memory/1736-0-0x0000000000990000-0x00000000009A2000-memory.dmp

      Filesize

      72KB

    • memory/1736-7-0x00000000006D0000-0x00000000006DF000-memory.dmp

      Filesize

      60KB

    • memory/1736-9-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/1904-14-0x0000000000540000-0x0000000000550000-memory.dmp

      Filesize

      64KB

    • memory/1904-10-0x0000000002290000-0x00000000022A2000-memory.dmp

      Filesize

      72KB