Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 23:58

General

  • Target

    3d1d97a5dc9461904f4811478cb6ec2b_JaffaCakes118.exe

  • Size

    308KB

  • MD5

    3d1d97a5dc9461904f4811478cb6ec2b

  • SHA1

    002b77c03294bf17a748bfe53d4832795e694faa

  • SHA256

    4833e09d39edcea826747ef9383f3d1a01d1b1e5fe6c6b498e8a1c6795951e18

  • SHA512

    0f592d23f2a6a24a746eaa9e056aaec2ba528ef3baf7c3f4b5edf348a6291f7062d8a98379b5a7a7b816d88921302aeffc0a70a887ee5790d0e4db4f6bcafbee

  • SSDEEP

    6144:TqfI2dK4las/gMXzGnZq/TVbU7/qyPoNIZAFJi:TqfIJ4lxgMXyUlskIiW

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

70.121.172.89:80

116.202.234.183:8080

69.30.203.214:8080

185.94.252.104:443

64.183.73.122:80

190.55.181.54:443

37.70.8.161:80

174.137.65.18:80

203.153.216.189:7080

109.116.214.124:443

93.51.50.171:8080

190.160.53.126:80

222.214.218.37:4143

87.106.136.232:8080

113.160.130.116:8443

174.102.48.180:80

79.98.24.39:8080

189.212.199.126:443

89.186.91.200:443

24.233.112.152:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 4 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d1d97a5dc9461904f4811478cb6ec2b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d1d97a5dc9461904f4811478cb6ec2b_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\SysWOW64\odbccp32\qasf.exe
      "C:\Windows\SysWOW64\odbccp32\qasf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\odbccp32\qasf.exe

    Filesize

    308KB

    MD5

    3d1d97a5dc9461904f4811478cb6ec2b

    SHA1

    002b77c03294bf17a748bfe53d4832795e694faa

    SHA256

    4833e09d39edcea826747ef9383f3d1a01d1b1e5fe6c6b498e8a1c6795951e18

    SHA512

    0f592d23f2a6a24a746eaa9e056aaec2ba528ef3baf7c3f4b5edf348a6291f7062d8a98379b5a7a7b816d88921302aeffc0a70a887ee5790d0e4db4f6bcafbee

  • memory/2424-0-0x0000000000390000-0x000000000039C000-memory.dmp

    Filesize

    48KB

  • memory/2424-4-0x0000000000380000-0x0000000000389000-memory.dmp

    Filesize

    36KB

  • memory/2424-6-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/2708-7-0x0000000000250000-0x000000000025C000-memory.dmp

    Filesize

    48KB

  • memory/2708-11-0x0000000000250000-0x000000000025C000-memory.dmp

    Filesize

    48KB