Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 09:12
Static task
static1
Behavioral task
behavioral1
Sample
40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe
-
Size
464KB
-
MD5
40f75fd98304ca1c0c5cc968171e57a3
-
SHA1
cff1b93b668903bc16355dec26796da1df0ff9a3
-
SHA256
2ed6b0c0fa2dc43d996efa8857c47c1dd3ac39c4a5bef30041422cac99c1309b
-
SHA512
7b67add37f5ca59e1dbc13da32a21c4dff1c4991d4e7c2a3a2c56990dde2e1336cdd997b65469617b4519d20f03da10d26bc6ec3770fe75c216d98fd335e1ad6
-
SSDEEP
12288:NGsME6YbUVWOQmNOtJ01TBb4VtZEPITFI:NhRXDsOtJoR+m
Malware Config
Extracted
emotet
Epoch2
204.197.146.48:80
212.51.142.238:8080
200.55.243.138:8080
103.86.49.11:8080
83.110.223.58:443
139.130.242.43:80
41.60.200.34:80
110.145.77.103:80
183.101.175.193:80
50.116.86.205:8080
79.98.24.39:8080
180.92.239.110:8080
203.153.216.189:7080
137.59.187.107:8080
109.74.5.95:8080
61.19.246.238:443
209.182.216.177:443
162.241.92.219:8080
47.153.182.47:80
176.111.60.55:8080
201.173.217.124:443
190.55.181.54:443
46.105.131.79:8080
181.230.116.163:80
116.203.32.252:8080
74.208.45.104:8080
76.27.179.47:80
75.139.38.211:80
67.241.24.163:8080
104.236.246.93:8080
24.234.133.205:80
62.138.26.28:8080
95.179.229.244:8080
157.147.76.151:80
142.105.151.124:443
200.41.121.90:80
104.131.11.150:443
209.141.54.221:8080
70.167.215.250:8080
185.94.252.104:443
24.179.13.119:80
168.235.67.138:7080
65.111.120.223:80
5.39.91.110:7080
190.160.53.126:80
95.213.236.64:8080
37.139.21.175:8080
139.59.60.244:8080
222.214.218.37:4143
62.75.141.82:80
5.196.74.210:8080
157.245.99.39:8080
119.198.40.179:80
104.131.44.150:8080
87.106.139.101:8080
93.51.50.171:8080
169.239.182.217:8080
24.43.99.75:80
153.126.210.205:7080
189.212.199.126:443
91.231.166.124:8080
91.211.88.52:7080
210.165.156.91:80
78.24.219.147:8080
152.168.248.128:443
47.144.21.12:443
114.146.222.200:80
113.160.130.116:8443
47.146.117.214:80
162.154.38.103:80
37.187.72.193:8080
81.2.235.111:8080
121.124.124.40:7080
124.45.106.173:443
87.106.136.232:8080
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4744-0-0x0000000000680000-0x000000000068C000-memory.dmp emotet behavioral2/memory/4744-4-0x0000000000670000-0x0000000000679000-memory.dmp emotet behavioral2/memory/3588-8-0x0000000002080000-0x000000000208C000-memory.dmp emotet behavioral2/memory/3588-12-0x0000000002080000-0x000000000208C000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
fontdrvhost.exepid process 3588 fontdrvhost.exe -
Drops file in System32 directory 1 IoCs
Processes:
40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\fdBthProxy\fontdrvhost.exe 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
fontdrvhost.exepid process 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exepid process 4744 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exefontdrvhost.exepid process 4744 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe 4744 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe 4744 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe 3588 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exedescription pid process target process PID 4744 wrote to memory of 3588 4744 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe fontdrvhost.exe PID 4744 wrote to memory of 3588 4744 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe fontdrvhost.exe PID 4744 wrote to memory of 3588 4744 40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe fontdrvhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\fdBthProxy\fontdrvhost.exe"C:\Windows\SysWOW64\fdBthProxy\fontdrvhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
464KB
MD540f75fd98304ca1c0c5cc968171e57a3
SHA1cff1b93b668903bc16355dec26796da1df0ff9a3
SHA2562ed6b0c0fa2dc43d996efa8857c47c1dd3ac39c4a5bef30041422cac99c1309b
SHA5127b67add37f5ca59e1dbc13da32a21c4dff1c4991d4e7c2a3a2c56990dde2e1336cdd997b65469617b4519d20f03da10d26bc6ec3770fe75c216d98fd335e1ad6