Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 00:41

General

  • Target

    375c4fef50d06477cfd98fd765cb0331_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    375c4fef50d06477cfd98fd765cb0331

  • SHA1

    67065ab43c79a318545857a206c8c58d773c7e1c

  • SHA256

    3c5f80f8f1e91fb58d253c62fec203ff1b9c84eb556aa0aac92020e29aa0ab3a

  • SHA512

    e3a466b27fc0995983aaaa9af1dc2578f7dc0f2859095e8f89b092ac0a7e27266cb4bed67575dcfebf27e068cbc7c812d673cc2e70822c0ca91150b10a102ace

  • SSDEEP

    1536:FXGNxEKJx6qdlaPLA1tjUb6vfEwDfJ8rWR0hoZjeZtaNT6hSegcAe6frjq8jI:pGnEKJx6q6zUqOr5Z4aNipDj6f/qn

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

47.146.32.175:80

212.51.142.238:8080

200.55.243.138:8080

114.146.222.200:80

153.126.210.205:7080

121.124.124.40:7080

222.214.218.37:4143

67.241.24.163:8080

180.92.239.110:8080

203.153.216.189:7080

119.198.40.179:80

70.167.215.250:8080

168.235.67.138:7080

190.55.181.54:443

139.59.60.244:8080

189.212.199.126:443

78.24.219.147:8080

61.19.246.238:443

137.59.187.107:8080

87.106.139.101:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 4 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\375c4fef50d06477cfd98fd765cb0331_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\375c4fef50d06477cfd98fd765cb0331_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\fveapibase\msvcr120.exe
      "C:\Windows\SysWOW64\fveapibase\msvcr120.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1848
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
    1⤵
      PID:1500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\fveapibase\msvcr120.exe

      Filesize

      156KB

      MD5

      375c4fef50d06477cfd98fd765cb0331

      SHA1

      67065ab43c79a318545857a206c8c58d773c7e1c

      SHA256

      3c5f80f8f1e91fb58d253c62fec203ff1b9c84eb556aa0aac92020e29aa0ab3a

      SHA512

      e3a466b27fc0995983aaaa9af1dc2578f7dc0f2859095e8f89b092ac0a7e27266cb4bed67575dcfebf27e068cbc7c812d673cc2e70822c0ca91150b10a102ace

    • memory/1264-4-0x0000000002280000-0x0000000002289000-memory.dmp

      Filesize

      36KB

    • memory/1264-0-0x00000000022E0000-0x00000000022EC000-memory.dmp

      Filesize

      48KB

    • memory/1264-7-0x00000000022A0000-0x00000000022D2000-memory.dmp

      Filesize

      200KB

    • memory/1264-6-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/1848-8-0x0000000002240000-0x000000000224C000-memory.dmp

      Filesize

      48KB

    • memory/1848-12-0x0000000002240000-0x000000000224C000-memory.dmp

      Filesize

      48KB

    • memory/1848-13-0x0000000002270000-0x00000000022A2000-memory.dmp

      Filesize

      200KB