Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 16:48

General

  • Target

    3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe

  • Size

    420KB

  • MD5

    3b1ce788743336dc5dd352ae7b7bd588

  • SHA1

    34169022a270c8d94c26e7c3c9e7b7446c987218

  • SHA256

    8c2bd66fa3ddc9805b5e364bc8e434b099137aaf5cc7e799cabd179a7888c3db

  • SHA512

    2ba9a35aaade59075ef1ba25c7a730d86ebb1856bd437e625b8ebf0bf41d30bc344cf174afe18a38e3a80ea0b9e55abb253b8c162dfe2162a3301d86bab063c9

  • SSDEEP

    6144:QTEey77PAQXnL7maKRD0j2gqoAzQ222222222222U3XNagGZn4:quXn2aKRv/RdjG

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

173.81.218.65:80

45.55.36.51:443

91.83.93.99:7080

45.55.219.163:443

169.239.182.217:8080

24.43.99.75:80

78.24.219.147:8080

95.179.229.244:8080

107.5.122.110:80

47.144.21.12:443

204.197.146.48:80

139.99.158.11:443

190.160.53.126:80

74.120.55.163:80

74.109.108.202:80

47.146.117.214:80

104.236.246.93:8080

174.137.65.18:80

41.60.200.34:80

209.141.54.221:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b1ce788743336dc5dd352ae7b7bd588_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\SysWOW64\amsi\nshwfp.exe
      "C:\Windows\SysWOW64\amsi\nshwfp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\amsi\nshwfp.exe

    Filesize

    420KB

    MD5

    3b1ce788743336dc5dd352ae7b7bd588

    SHA1

    34169022a270c8d94c26e7c3c9e7b7446c987218

    SHA256

    8c2bd66fa3ddc9805b5e364bc8e434b099137aaf5cc7e799cabd179a7888c3db

    SHA512

    2ba9a35aaade59075ef1ba25c7a730d86ebb1856bd437e625b8ebf0bf41d30bc344cf174afe18a38e3a80ea0b9e55abb253b8c162dfe2162a3301d86bab063c9

  • memory/1968-7-0x0000000002210000-0x000000000221C000-memory.dmp

    Filesize

    48KB

  • memory/1968-11-0x0000000002210000-0x000000000221C000-memory.dmp

    Filesize

    48KB

  • memory/2472-0-0x0000000002320000-0x000000000232C000-memory.dmp

    Filesize

    48KB

  • memory/2472-4-0x00000000022C0000-0x00000000022C9000-memory.dmp

    Filesize

    36KB

  • memory/2472-6-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB