Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe
-
Size
420KB
-
MD5
3b1ce788743336dc5dd352ae7b7bd588
-
SHA1
34169022a270c8d94c26e7c3c9e7b7446c987218
-
SHA256
8c2bd66fa3ddc9805b5e364bc8e434b099137aaf5cc7e799cabd179a7888c3db
-
SHA512
2ba9a35aaade59075ef1ba25c7a730d86ebb1856bd437e625b8ebf0bf41d30bc344cf174afe18a38e3a80ea0b9e55abb253b8c162dfe2162a3301d86bab063c9
-
SSDEEP
6144:QTEey77PAQXnL7maKRD0j2gqoAzQ222222222222U3XNagGZn4:quXn2aKRv/RdjG
Malware Config
Extracted
emotet
Epoch2
173.81.218.65:80
45.55.36.51:443
91.83.93.99:7080
45.55.219.163:443
169.239.182.217:8080
24.43.99.75:80
78.24.219.147:8080
95.179.229.244:8080
107.5.122.110:80
47.144.21.12:443
204.197.146.48:80
139.99.158.11:443
190.160.53.126:80
74.120.55.163:80
74.109.108.202:80
47.146.117.214:80
104.236.246.93:8080
174.137.65.18:80
41.60.200.34:80
209.141.54.221:8080
74.208.45.104:8080
137.119.36.33:80
79.98.24.39:8080
97.82.79.83:80
189.212.199.126:443
200.41.121.90:80
5.196.74.210:8080
203.153.216.189:7080
68.171.118.7:80
87.106.136.232:8080
91.211.88.52:7080
98.109.204.230:80
176.111.60.55:8080
84.39.182.7:80
70.121.172.89:80
85.105.205.77:8080
174.102.48.180:443
87.106.139.101:8080
93.147.212.206:80
180.92.239.110:8080
62.30.7.67:443
187.161.206.24:80
153.232.188.106:80
85.152.162.105:80
104.131.11.150:443
24.179.13.119:80
194.187.133.160:443
157.147.76.151:80
46.105.131.79:8080
203.117.253.142:80
185.94.252.104:443
120.150.60.189:80
110.145.77.103:80
69.30.203.214:8080
94.200.114.161:80
75.139.38.211:80
37.139.21.175:8080
61.19.246.238:443
157.245.99.39:8080
167.86.90.214:8080
5.39.91.110:7080
168.235.67.138:7080
173.62.217.22:443
139.59.60.244:8080
93.51.50.171:8080
37.187.72.193:8080
109.74.5.95:8080
68.44.137.144:443
139.130.242.43:80
37.70.8.161:80
1.221.254.82:80
152.168.248.128:443
139.162.108.71:8080
201.173.217.124:443
113.160.130.116:8443
62.75.141.82:80
94.23.237.171:443
121.124.124.40:7080
95.213.236.64:8080
181.230.116.163:80
200.114.213.233:8080
190.55.181.54:443
137.59.187.107:8080
103.86.49.11:8080
24.137.76.62:80
83.169.36.251:8080
104.131.44.150:8080
67.205.85.243:8080
85.66.181.138:80
68.188.112.97:80
112.185.64.233:80
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nshwfp.exepid process 1968 nshwfp.exe -
Drops file in System32 directory 1 IoCs
Processes:
3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\amsi\nshwfp.exe 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
nshwfp.exepid process 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exepid process 2472 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exenshwfp.exepid process 2472 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe 2472 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe 2472 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe 1968 nshwfp.exe 1968 nshwfp.exe 1968 nshwfp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exedescription pid process target process PID 2472 wrote to memory of 1968 2472 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe nshwfp.exe PID 2472 wrote to memory of 1968 2472 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe nshwfp.exe PID 2472 wrote to memory of 1968 2472 3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe nshwfp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\amsi\nshwfp.exe"C:\Windows\SysWOW64\amsi\nshwfp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD53b1ce788743336dc5dd352ae7b7bd588
SHA134169022a270c8d94c26e7c3c9e7b7446c987218
SHA2568c2bd66fa3ddc9805b5e364bc8e434b099137aaf5cc7e799cabd179a7888c3db
SHA5122ba9a35aaade59075ef1ba25c7a730d86ebb1856bd437e625b8ebf0bf41d30bc344cf174afe18a38e3a80ea0b9e55abb253b8c162dfe2162a3301d86bab063c9