Analysis

  • max time kernel
    139s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 18:43

General

  • Target

    360168bae948242f58b16f0f7e16d9a4_JaffaCakes118.exe

  • Size

    268KB

  • MD5

    360168bae948242f58b16f0f7e16d9a4

  • SHA1

    e67ed37732ad31f1b399127408a666faabf0ee51

  • SHA256

    cfa94c1253595b7e289821eddcfe0f9a73b1c65401915dd25faa5134530e7395

  • SHA512

    66b262c7393f2b1e9bc821754d1897685502e546176e9b8df023726a2af7cf4a91b26ecc13e273a4028966d47b65e6c993cdc95ae5d62d813df0dbadca49ec03

  • SSDEEP

    6144:bRLpX0Ez+y2ccld5b2IOIQlNtGZknC/NAbnZfp/k:bRLpk6oybZx/k

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

137.119.36.33:80

116.202.234.183:8080

69.30.203.214:8080

204.197.146.48:80

87.106.136.232:8080

153.163.83.106:80

91.211.88.52:7080

93.147.212.206:80

222.214.218.37:4143

189.212.199.126:443

203.153.216.189:7080

83.169.36.251:8080

188.83.220.2:443

104.236.246.93:8080

173.62.217.22:443

5.196.74.210:8080

68.188.112.97:80

139.130.242.43:80

61.19.246.238:443

24.179.13.119:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\360168bae948242f58b16f0f7e16d9a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\360168bae948242f58b16f0f7e16d9a4_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Windows\SysWOW64\Windows.Media.Speech\msv1_0.exe
      "C:\Windows\SysWOW64\Windows.Media.Speech\msv1_0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Windows.Media.Speech\msv1_0.exe

    Filesize

    268KB

    MD5

    360168bae948242f58b16f0f7e16d9a4

    SHA1

    e67ed37732ad31f1b399127408a666faabf0ee51

    SHA256

    cfa94c1253595b7e289821eddcfe0f9a73b1c65401915dd25faa5134530e7395

    SHA512

    66b262c7393f2b1e9bc821754d1897685502e546176e9b8df023726a2af7cf4a91b26ecc13e273a4028966d47b65e6c993cdc95ae5d62d813df0dbadca49ec03

  • memory/3328-1-0x00000000005C0000-0x00000000005CC000-memory.dmp

    Filesize

    48KB

  • memory/3328-0-0x00000000005B0000-0x00000000005B9000-memory.dmp

    Filesize

    36KB

  • memory/3328-6-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/5012-11-0x00000000005C0000-0x00000000005CC000-memory.dmp

    Filesize

    48KB