Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe
-
Size
172KB
-
MD5
3b14f8e4a2812cb54209bfe370db2dd8
-
SHA1
c1ee4a7599fdb82c9d7a44fa4b215d285922bfcf
-
SHA256
309c91bb7e5f7879e202f885ef4d096fb0edb5fa80acb3cd957985d28848494c
-
SHA512
ef5d518721e8c0b19ca8ea838a6cbaad08778b4ab0ee0eff6c10af8acf551db38bb1bf1ef158d33abaa977b4d434683be4cef346c7167f28b923824f6cd7d7a7
-
SSDEEP
3072:drrBUIL9C/sjzVO0K2iPnjvOkF/QTf5k4VDvOQn:drrqIL8/IPFiPn7RmTRkw
Malware Config
Extracted
emotet
Epoch2
220.245.198.194:80
104.156.59.7:8080
120.138.30.150:8080
139.59.67.118:443
139.130.242.43:80
104.32.141.43:80
156.155.166.221:80
121.7.127.163:80
153.177.101.120:443
162.241.242.173:8080
91.211.88.52:7080
95.179.229.244:8080
103.86.49.11:8080
139.59.60.244:8080
121.124.124.40:7080
104.131.11.150:443
200.114.213.233:8080
82.225.49.121:80
79.98.24.39:8080
5.196.74.210:8080
61.19.246.238:443
188.219.31.12:80
94.200.114.161:80
110.145.77.103:80
203.153.216.189:7080
62.30.7.67:443
47.144.21.12:443
181.169.34.190:80
174.45.13.118:80
87.106.139.101:8080
79.137.83.50:443
1.221.254.82:80
78.187.156.31:80
83.169.36.251:8080
195.251.213.56:80
110.5.16.198:80
24.43.99.75:80
139.162.108.71:8080
139.99.158.11:443
85.105.205.77:8080
75.139.38.211:80
50.91.114.38:80
176.111.60.55:8080
24.137.76.62:80
62.75.141.82:80
94.23.237.171:443
37.139.21.175:8080
74.208.45.104:8080
200.123.150.89:443
85.214.28.226:8080
68.188.112.97:80
203.117.253.142:80
94.23.216.33:80
137.119.36.33:80
169.239.182.217:8080
124.41.215.226:80
84.39.182.7:80
168.235.67.138:7080
194.187.133.160:443
219.74.18.66:443
61.92.17.12:80
187.161.206.24:80
85.152.162.105:80
50.35.17.13:80
104.236.246.93:8080
140.186.212.146:80
24.179.13.119:80
120.150.60.189:80
109.74.5.95:8080
5.39.91.110:7080
42.200.107.142:80
87.106.136.232:8080
93.147.212.206:80
74.120.55.163:80
107.5.122.110:80
78.24.219.147:8080
37.187.72.193:8080
95.213.236.64:8080
209.141.54.221:8080
185.94.252.104:443
213.196.135.145:80
157.245.99.39:8080
172.91.208.86:80
97.82.79.83:80
153.232.188.106:80
137.59.187.107:8080
201.173.217.124:443
104.131.44.150:8080
174.102.48.180:443
89.216.122.92:80
94.1.108.190:443
46.105.131.79:8080
82.80.155.43:80
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4188-0-0x0000000002360000-0x0000000002372000-memory.dmp emotet behavioral2/memory/4188-5-0x0000000002380000-0x0000000002390000-memory.dmp emotet behavioral2/memory/4188-7-0x0000000000A90000-0x0000000000A9F000-memory.dmp emotet behavioral2/memory/1476-14-0x0000000002240000-0x0000000002250000-memory.dmp emotet behavioral2/memory/1476-10-0x0000000002220000-0x0000000002232000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
DefaultDeviceManager.exepid process 1476 DefaultDeviceManager.exe -
Drops file in System32 directory 1 IoCs
Processes:
3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\xwizards\DefaultDeviceManager.exe 3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
DefaultDeviceManager.exepid process 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exepid process 4188 3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exeDefaultDeviceManager.exepid process 4188 3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe 4188 3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe 1476 DefaultDeviceManager.exe 1476 DefaultDeviceManager.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exedescription pid process target process PID 4188 wrote to memory of 1476 4188 3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe DefaultDeviceManager.exe PID 4188 wrote to memory of 1476 4188 3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe DefaultDeviceManager.exe PID 4188 wrote to memory of 1476 4188 3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe DefaultDeviceManager.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b14f8e4a2812cb54209bfe370db2dd8_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\xwizards\DefaultDeviceManager.exe"C:\Windows\SysWOW64\xwizards\DefaultDeviceManager.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD53b14f8e4a2812cb54209bfe370db2dd8
SHA1c1ee4a7599fdb82c9d7a44fa4b215d285922bfcf
SHA256309c91bb7e5f7879e202f885ef4d096fb0edb5fa80acb3cd957985d28848494c
SHA512ef5d518721e8c0b19ca8ea838a6cbaad08778b4ab0ee0eff6c10af8acf551db38bb1bf1ef158d33abaa977b4d434683be4cef346c7167f28b923824f6cd7d7a7