Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe
-
Size
236KB
-
MD5
3661c9ac1b86f1bfdfeb64e036adc115
-
SHA1
c5505b6e5047146192a9f1cd404434ebbe6b67b4
-
SHA256
062c3371c0ca3d27351b7c051a0530aab30273cb46f514060cc949f61c48a674
-
SHA512
3b34db8cd41efcc0ecba771f70316d9d7f26a1e032889afa648318c658b6210b6682fb0c09e3aa722ab57bddf1c26354a604b78281fb3c2f5e226e6db63addf5
-
SSDEEP
6144:tZdFlips3wlr3RelQa5qSu+bYTQsiSqS:tZvlT3er3RSbcsSF
Malware Config
Extracted
emotet
Epoch2
74.219.172.26:80
134.209.36.254:8080
104.156.59.7:8080
120.138.30.150:8080
194.187.133.160:443
104.236.246.93:8080
74.208.45.104:8080
78.187.156.31:80
187.161.206.24:80
94.23.216.33:80
172.91.208.86:80
91.211.88.52:7080
50.91.114.38:80
200.123.150.89:443
121.124.124.40:7080
62.75.141.82:80
5.196.74.210:8080
24.137.76.62:80
85.105.205.77:8080
139.130.242.43:80
82.225.49.121:80
110.145.77.103:80
195.251.213.56:80
46.105.131.79:8080
87.106.136.232:8080
75.139.38.211:80
124.41.215.226:80
203.153.216.189:7080
162.241.242.173:8080
219.74.18.66:443
174.45.13.118:80
68.188.112.97:80
200.114.213.233:8080
213.196.135.145:80
61.92.17.12:80
61.19.246.238:443
219.75.128.166:80
120.150.60.189:80
123.176.25.234:80
1.221.254.82:80
137.119.36.33:80
94.23.237.171:443
74.120.55.163:80
62.30.7.67:443
104.131.11.150:443
139.59.67.118:443
209.141.54.221:8080
79.137.83.50:443
84.39.182.7:80
97.82.79.83:80
87.106.139.101:8080
94.1.108.190:443
37.187.72.193:8080
139.162.108.71:8080
93.147.212.206:80
74.134.41.124:80
103.86.49.11:8080
75.80.124.4:80
109.74.5.95:8080
153.232.188.106:80
168.235.67.138:7080
50.35.17.13:80
42.200.107.142:80
82.80.155.43:80
78.24.219.147:8080
24.43.99.75:80
107.5.122.110:80
156.155.166.221:80
83.169.36.251:8080
47.144.21.12:443
79.98.24.39:8080
181.169.34.190:80
139.59.60.244:8080
85.152.162.105:80
185.94.252.104:443
110.5.16.198:80
174.102.48.180:443
140.186.212.146:80
95.179.229.244:8080
104.32.141.43:80
169.239.182.217:8080
121.7.127.163:80
94.200.114.161:80
201.173.217.124:443
104.131.44.150:8080
137.59.187.107:8080
5.39.91.110:7080
203.117.253.142:80
157.245.99.39:8080
176.111.60.55:8080
95.213.236.64:8080
220.245.198.194:80
37.139.21.175:8080
89.216.122.92:80
139.99.158.11:443
24.179.13.119:80
188.219.31.12:80
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4992-7-0x00000000022E0000-0x00000000022EF000-memory.dmp emotet behavioral2/memory/4992-5-0x00000000023D0000-0x00000000023E0000-memory.dmp emotet behavioral2/memory/4992-0-0x0000000002320000-0x0000000002332000-memory.dmp emotet behavioral2/memory/524-14-0x0000000001FD0000-0x0000000001FE0000-memory.dmp emotet behavioral2/memory/524-10-0x00000000021C0000-0x00000000021D2000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
fms.exepid process 524 fms.exe -
Drops file in System32 directory 1 IoCs
Processes:
3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\netiougc\fms.exe 3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
fms.exepid process 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe 524 fms.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exepid process 4992 3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exefms.exepid process 4992 3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe 4992 3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe 524 fms.exe 524 fms.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exedescription pid process target process PID 4992 wrote to memory of 524 4992 3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe fms.exe PID 4992 wrote to memory of 524 4992 3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe fms.exe PID 4992 wrote to memory of 524 4992 3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe fms.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\netiougc\fms.exe"C:\Windows\SysWOW64\netiougc\fms.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:81⤵PID:3604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD53661c9ac1b86f1bfdfeb64e036adc115
SHA1c5505b6e5047146192a9f1cd404434ebbe6b67b4
SHA256062c3371c0ca3d27351b7c051a0530aab30273cb46f514060cc949f61c48a674
SHA5123b34db8cd41efcc0ecba771f70316d9d7f26a1e032889afa648318c658b6210b6682fb0c09e3aa722ab57bddf1c26354a604b78281fb3c2f5e226e6db63addf5