Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 09:12

General

  • Target

    40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe

  • Size

    464KB

  • MD5

    40f75fd98304ca1c0c5cc968171e57a3

  • SHA1

    cff1b93b668903bc16355dec26796da1df0ff9a3

  • SHA256

    2ed6b0c0fa2dc43d996efa8857c47c1dd3ac39c4a5bef30041422cac99c1309b

  • SHA512

    7b67add37f5ca59e1dbc13da32a21c4dff1c4991d4e7c2a3a2c56990dde2e1336cdd997b65469617b4519d20f03da10d26bc6ec3770fe75c216d98fd335e1ad6

  • SSDEEP

    12288:NGsME6YbUVWOQmNOtJ01TBb4VtZEPITFI:NhRXDsOtJoR+m

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

204.197.146.48:80

212.51.142.238:8080

200.55.243.138:8080

103.86.49.11:8080

83.110.223.58:443

139.130.242.43:80

41.60.200.34:80

110.145.77.103:80

183.101.175.193:80

50.116.86.205:8080

79.98.24.39:8080

180.92.239.110:8080

203.153.216.189:7080

137.59.187.107:8080

109.74.5.95:8080

61.19.246.238:443

209.182.216.177:443

162.241.92.219:8080

47.153.182.47:80

176.111.60.55:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 4 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40f75fd98304ca1c0c5cc968171e57a3_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Windows\SysWOW64\fdBthProxy\fontdrvhost.exe
      "C:\Windows\SysWOW64\fdBthProxy\fontdrvhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\fdBthProxy\fontdrvhost.exe

    Filesize

    464KB

    MD5

    40f75fd98304ca1c0c5cc968171e57a3

    SHA1

    cff1b93b668903bc16355dec26796da1df0ff9a3

    SHA256

    2ed6b0c0fa2dc43d996efa8857c47c1dd3ac39c4a5bef30041422cac99c1309b

    SHA512

    7b67add37f5ca59e1dbc13da32a21c4dff1c4991d4e7c2a3a2c56990dde2e1336cdd997b65469617b4519d20f03da10d26bc6ec3770fe75c216d98fd335e1ad6

  • memory/3588-8-0x0000000002080000-0x000000000208C000-memory.dmp

    Filesize

    48KB

  • memory/3588-12-0x0000000002080000-0x000000000208C000-memory.dmp

    Filesize

    48KB

  • memory/3588-13-0x0000000003A60000-0x0000000003B51000-memory.dmp

    Filesize

    964KB

  • memory/4744-0-0x0000000000680000-0x000000000068C000-memory.dmp

    Filesize

    48KB

  • memory/4744-4-0x0000000000670000-0x0000000000679000-memory.dmp

    Filesize

    36KB

  • memory/4744-6-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4744-7-0x0000000003D50000-0x0000000003E41000-memory.dmp

    Filesize

    964KB