Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe
-
Size
848KB
-
MD5
3a5d08924c502a1a561eb1ba5d37b580
-
SHA1
8d426b8c7eec61ac869f10e1d74221236450aca9
-
SHA256
646834cd91f4b55fd232b4234978cf9a473180576051b7b9d443b143107c4750
-
SHA512
cf2e8835bdd51653bfa14f5f36090557fe198566d277d0d187463a59a8454567a130524c983f3c6c6af9cc59c44e17ff7b0fa4ed812bc0b38519e1d57404760f
-
SSDEEP
6144:/TaQZdJnaB1kNOOFSm9tc6c6c6c6c6c6c6c6c6csImOksMWNIDK:/GQfJtFrz7
Malware Config
Extracted
emotet
Epoch2
67.68.210.95:80
162.241.242.173:8080
45.55.36.51:443
45.55.219.163:443
68.188.112.97:80
46.105.131.79:8080
78.24.219.147:8080
37.70.8.161:80
153.232.188.106:80
209.141.54.221:8080
203.117.253.142:80
152.168.248.128:443
93.147.212.206:80
24.137.76.62:80
189.212.199.126:443
204.197.146.48:80
137.119.36.33:80
185.94.252.104:443
139.130.242.43:80
203.153.216.189:7080
200.114.213.233:8080
41.60.200.34:80
107.5.122.110:80
139.162.108.71:8080
137.59.187.107:8080
181.230.116.163:80
24.43.99.75:80
83.169.36.251:8080
95.179.229.244:8080
85.152.162.105:80
37.139.21.175:8080
98.109.204.230:80
139.59.60.244:8080
75.139.38.211:80
61.19.246.238:443
79.98.24.39:8080
69.30.203.214:8080
68.171.118.7:80
50.81.3.113:80
89.205.113.80:80
87.106.136.232:8080
74.109.108.202:80
95.213.236.64:8080
24.179.13.119:80
121.124.124.40:7080
70.121.172.89:80
74.120.55.163:80
104.131.44.150:8080
74.208.45.104:8080
1.221.254.82:80
187.161.206.24:80
188.219.31.12:80
180.92.239.110:8080
47.146.117.214:80
103.86.49.11:8080
190.55.181.54:443
104.236.246.93:8080
97.82.79.83:80
91.211.88.52:7080
84.39.182.7:80
110.145.77.103:80
94.23.237.171:443
85.105.205.77:8080
87.106.139.101:8080
200.41.121.90:80
157.245.99.39:8080
169.239.182.217:8080
67.205.85.243:8080
176.111.60.55:8080
174.45.13.118:80
167.86.90.214:8080
174.102.48.180:443
112.185.64.233:80
173.81.218.65:80
139.99.158.11:443
113.160.130.116:8443
201.173.217.124:443
62.75.141.82:80
174.137.65.18:80
172.91.208.86:80
5.196.74.210:8080
85.66.181.138:80
47.144.21.12:443
194.187.133.160:443
168.235.67.138:7080
104.131.11.150:443
190.160.53.126:80
37.187.72.193:8080
109.74.5.95:8080
120.150.60.189:80
94.200.114.161:80
216.208.76.186:80
173.62.217.22:443
62.30.7.67:443
5.39.91.110:7080
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rasman.exepid process 4952 rasman.exe -
Drops file in System32 directory 1 IoCs
Processes:
3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\efsui\rasman.exe 3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rasman.exepid process 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe 4952 rasman.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exepid process 4172 3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exerasman.exepid process 4172 3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe 4172 3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe 4952 rasman.exe 4952 rasman.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exedescription pid process target process PID 4172 wrote to memory of 4952 4172 3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe rasman.exe PID 4172 wrote to memory of 4952 4172 3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe rasman.exe PID 4172 wrote to memory of 4952 4172 3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe rasman.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\efsui\rasman.exe"C:\Windows\SysWOW64\efsui\rasman.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
848KB
MD53a5d08924c502a1a561eb1ba5d37b580
SHA18d426b8c7eec61ac869f10e1d74221236450aca9
SHA256646834cd91f4b55fd232b4234978cf9a473180576051b7b9d443b143107c4750
SHA512cf2e8835bdd51653bfa14f5f36090557fe198566d277d0d187463a59a8454567a130524c983f3c6c6af9cc59c44e17ff7b0fa4ed812bc0b38519e1d57404760f