Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 04:14

General

  • Target

    3dd88da504ea2d560080dfd6103caca9_JaffaCakes118.exe

  • Size

    172KB

  • MD5

    3dd88da504ea2d560080dfd6103caca9

  • SHA1

    28e5b7e0a4e8dd5ffe89f220c21c0e304f5f72f7

  • SHA256

    4084f8e1c94e4ed67d6bccfb3d4661f8c4d48eaeb1afecb9e5664d99c7460136

  • SHA512

    bc04d6a65d95043526854b342c50bbfc05eca6a3d8a7539fbc69828fed1e84d46142f44d9c96be7bda46d10cd779eb8455dd729e71bcc424939fef1cb8e0bc30

  • SSDEEP

    3072:drrB+IL9C/sjzVO0K2iPnjvOkF/QTf5k4VDvOQn:drrQIL8/IPFiPn7RmTRkw

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

220.245.198.194:80

104.156.59.7:8080

120.138.30.150:8080

139.59.67.118:443

139.130.242.43:80

104.32.141.43:80

156.155.166.221:80

121.7.127.163:80

153.177.101.120:443

162.241.242.173:8080

91.211.88.52:7080

95.179.229.244:8080

103.86.49.11:8080

139.59.60.244:8080

121.124.124.40:7080

104.131.11.150:443

200.114.213.233:8080

82.225.49.121:80

79.98.24.39:8080

5.196.74.210:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 5 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dd88da504ea2d560080dfd6103caca9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3dd88da504ea2d560080dfd6103caca9_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\PSHED\reg.exe
      "C:\Windows\SysWOW64\PSHED\reg.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\PSHED\reg.exe

    Filesize

    172KB

    MD5

    3dd88da504ea2d560080dfd6103caca9

    SHA1

    28e5b7e0a4e8dd5ffe89f220c21c0e304f5f72f7

    SHA256

    4084f8e1c94e4ed67d6bccfb3d4661f8c4d48eaeb1afecb9e5664d99c7460136

    SHA512

    bc04d6a65d95043526854b342c50bbfc05eca6a3d8a7539fbc69828fed1e84d46142f44d9c96be7bda46d10cd779eb8455dd729e71bcc424939fef1cb8e0bc30

  • memory/2132-7-0x00000000001F0000-0x00000000001FF000-memory.dmp

    Filesize

    60KB

  • memory/2132-4-0x00000000002A0000-0x00000000002B0000-memory.dmp

    Filesize

    64KB

  • memory/2132-0-0x0000000000280000-0x0000000000292000-memory.dmp

    Filesize

    72KB

  • memory/2132-9-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2856-10-0x0000000000590000-0x00000000005A2000-memory.dmp

    Filesize

    72KB

  • memory/2856-14-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB