Analysis Overview
SHA256
cca37083fe4cbcb71f83df2b52cc988ae6333aee86aa407ce902677b38dddd51
Threat Level: Known bad
The file 3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Emotet payload
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-12 15:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-12 15:06
Reported
2024-05-12 15:09
Platform
win7-20240508-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe |
| PID 1936 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe |
| PID 1936 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe |
| PID 1936 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe"
C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe
"C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 71.72.196.159:80 | tcp | |
| US | 71.72.196.159:80 | tcp | |
| US | 134.209.36.254:8080 | tcp | |
| US | 134.209.36.254:8080 | tcp | |
| NZ | 120.138.30.150:8080 | tcp | |
| NZ | 120.138.30.150:8080 | tcp | |
| FR | 94.23.216.33:80 | tcp | |
| FR | 94.23.216.33:80 | tcp | |
| IN | 157.245.99.39:8080 | tcp | |
| IN | 157.245.99.39:8080 | tcp |
Files
memory/1936-4-0x00000000002E0000-0x00000000002F0000-memory.dmp
memory/1936-7-0x0000000000230000-0x000000000023F000-memory.dmp
memory/1936-0-0x0000000000240000-0x0000000000252000-memory.dmp
memory/1936-9-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe
| MD5 | 3abaa8d4ddb688291fd55c70c925a5ed |
| SHA1 | 5672075bc7cfa0e85a741674d51574ca577905e8 |
| SHA256 | cca37083fe4cbcb71f83df2b52cc988ae6333aee86aa407ce902677b38dddd51 |
| SHA512 | 7ef83329ad4a1748fc27d286da24b332e2c9be65479906d1baae916de2ca3521be6518bdc45f69da707fbd26bb031d8945dbfbf84de2c35349d22dfab5861d27 |
memory/2576-14-0x0000000000260000-0x0000000000270000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-12 15:06
Reported
2024-05-12 15:09
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dssec\quartz.exe | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dssec\quartz.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1904 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | C:\Windows\SysWOW64\dssec\quartz.exe |
| PID 1904 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | C:\Windows\SysWOW64\dssec\quartz.exe |
| PID 1904 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe | C:\Windows\SysWOW64\dssec\quartz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe"
C:\Windows\SysWOW64\dssec\quartz.exe
"C:\Windows\SysWOW64\dssec\quartz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 71.72.196.159:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 134.209.36.254:8080 | tcp | |
| NZ | 120.138.30.150:8080 | tcp | |
| FR | 94.23.216.33:80 | tcp | |
| IN | 157.245.99.39:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| SG | 137.59.187.107:8080 | tcp | |
| FR | 94.23.237.171:443 | tcp | |
| TH | 61.19.246.238:443 | tcp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/1904-0-0x00000000005C0000-0x00000000005D2000-memory.dmp
memory/1904-4-0x00000000005E0000-0x00000000005F0000-memory.dmp
memory/1904-7-0x00000000005B0000-0x00000000005BF000-memory.dmp
C:\Windows\SysWOW64\dssec\quartz.exe
| MD5 | 3abaa8d4ddb688291fd55c70c925a5ed |
| SHA1 | 5672075bc7cfa0e85a741674d51574ca577905e8 |
| SHA256 | cca37083fe4cbcb71f83df2b52cc988ae6333aee86aa407ce902677b38dddd51 |
| SHA512 | 7ef83329ad4a1748fc27d286da24b332e2c9be65479906d1baae916de2ca3521be6518bdc45f69da707fbd26bb031d8945dbfbf84de2c35349d22dfab5861d27 |
memory/1904-9-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2904-10-0x0000000002070000-0x0000000002082000-memory.dmp