Analysis

  • max time kernel
    136s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 13:33

General

  • Target

    3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe

  • Size

    848KB

  • MD5

    3a5d08924c502a1a561eb1ba5d37b580

  • SHA1

    8d426b8c7eec61ac869f10e1d74221236450aca9

  • SHA256

    646834cd91f4b55fd232b4234978cf9a473180576051b7b9d443b143107c4750

  • SHA512

    cf2e8835bdd51653bfa14f5f36090557fe198566d277d0d187463a59a8454567a130524c983f3c6c6af9cc59c44e17ff7b0fa4ed812bc0b38519e1d57404760f

  • SSDEEP

    6144:/TaQZdJnaB1kNOOFSm9tc6c6c6c6c6c6c6c6c6csImOksMWNIDK:/GQfJtFrz7

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

67.68.210.95:80

162.241.242.173:8080

45.55.36.51:443

45.55.219.163:443

68.188.112.97:80

46.105.131.79:8080

78.24.219.147:8080

37.70.8.161:80

153.232.188.106:80

209.141.54.221:8080

203.117.253.142:80

152.168.248.128:443

93.147.212.206:80

24.137.76.62:80

189.212.199.126:443

204.197.146.48:80

137.119.36.33:80

185.94.252.104:443

139.130.242.43:80

203.153.216.189:7080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a5d08924c502a1a561eb1ba5d37b580_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Windows\SysWOW64\efsui\rasman.exe
      "C:\Windows\SysWOW64\efsui\rasman.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\efsui\rasman.exe

    Filesize

    848KB

    MD5

    3a5d08924c502a1a561eb1ba5d37b580

    SHA1

    8d426b8c7eec61ac869f10e1d74221236450aca9

    SHA256

    646834cd91f4b55fd232b4234978cf9a473180576051b7b9d443b143107c4750

    SHA512

    cf2e8835bdd51653bfa14f5f36090557fe198566d277d0d187463a59a8454567a130524c983f3c6c6af9cc59c44e17ff7b0fa4ed812bc0b38519e1d57404760f

  • memory/4172-0-0x0000000002280000-0x000000000228C000-memory.dmp

    Filesize

    48KB

  • memory/4172-5-0x0000000002270000-0x0000000002279000-memory.dmp

    Filesize

    36KB

  • memory/4172-4-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

  • memory/4172-7-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

  • memory/4952-8-0x00000000006B0000-0x00000000006BC000-memory.dmp

    Filesize

    48KB

  • memory/4952-12-0x00000000006B0000-0x00000000006BC000-memory.dmp

    Filesize

    48KB