Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 20:22

General

  • Target

    3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe

  • Size

    236KB

  • MD5

    3661c9ac1b86f1bfdfeb64e036adc115

  • SHA1

    c5505b6e5047146192a9f1cd404434ebbe6b67b4

  • SHA256

    062c3371c0ca3d27351b7c051a0530aab30273cb46f514060cc949f61c48a674

  • SHA512

    3b34db8cd41efcc0ecba771f70316d9d7f26a1e032889afa648318c658b6210b6682fb0c09e3aa722ab57bddf1c26354a604b78281fb3c2f5e226e6db63addf5

  • SSDEEP

    6144:tZdFlips3wlr3RelQa5qSu+bYTQsiSqS:tZvlT3er3RSbcsSF

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

74.219.172.26:80

134.209.36.254:8080

104.156.59.7:8080

120.138.30.150:8080

194.187.133.160:443

104.236.246.93:8080

74.208.45.104:8080

78.187.156.31:80

187.161.206.24:80

94.23.216.33:80

172.91.208.86:80

91.211.88.52:7080

50.91.114.38:80

200.123.150.89:443

121.124.124.40:7080

62.75.141.82:80

5.196.74.210:8080

24.137.76.62:80

85.105.205.77:8080

139.130.242.43:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 5 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3661c9ac1b86f1bfdfeb64e036adc115_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\netiougc\fms.exe
      "C:\Windows\SysWOW64\netiougc\fms.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:524
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
    1⤵
      PID:3604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\netiougc\fms.exe

      Filesize

      236KB

      MD5

      3661c9ac1b86f1bfdfeb64e036adc115

      SHA1

      c5505b6e5047146192a9f1cd404434ebbe6b67b4

      SHA256

      062c3371c0ca3d27351b7c051a0530aab30273cb46f514060cc949f61c48a674

      SHA512

      3b34db8cd41efcc0ecba771f70316d9d7f26a1e032889afa648318c658b6210b6682fb0c09e3aa722ab57bddf1c26354a604b78281fb3c2f5e226e6db63addf5

    • memory/524-14-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

      Filesize

      64KB

    • memory/524-10-0x00000000021C0000-0x00000000021D2000-memory.dmp

      Filesize

      72KB

    • memory/4992-7-0x00000000022E0000-0x00000000022EF000-memory.dmp

      Filesize

      60KB

    • memory/4992-5-0x00000000023D0000-0x00000000023E0000-memory.dmp

      Filesize

      64KB

    • memory/4992-0-0x0000000002320000-0x0000000002332000-memory.dmp

      Filesize

      72KB

    • memory/4992-9-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB