Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
48db891916cfe565c080bce304b8a516_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
48db891916cfe565c080bce304b8a516_JaffaCakes118.exe
-
Size
384KB
-
MD5
48db891916cfe565c080bce304b8a516
-
SHA1
899a63c2ce0a9c0117aac27454e6056f9d264261
-
SHA256
89075c9254ce4374c3823c7fe24e11c4a553d4d2f13e5d78bdd60c805bea3d58
-
SHA512
7b82f4e72153f57f36d5715216eec7ed65886dee24ee7ea365668e0c85410ac9d69b6122b33ed21b279ea06e96aaf7c5540988580d5bca225f9d82cfe8d651f1
-
SSDEEP
6144:M9UmVagKkDThVbgcV9d2dGXWvq8lCTGs+rUqJRjjhow8H/:MBTPgcV9MdfS8lCTGsZ2vawI
Malware Config
Extracted
emotet
Epoch3
69.14.208.221:80
156.155.163.232:80
211.42.204.154:80
164.68.115.146:8080
5.189.148.98:8080
46.105.128.215:8080
69.30.205.162:7080
182.176.116.139:995
72.51.153.27:80
124.150.175.129:8080
96.234.38.186:8080
139.59.12.63:8080
220.78.29.88:80
190.38.252.45:443
128.92.54.20:80
94.203.236.122:80
46.105.131.68:8080
162.144.46.90:8080
59.158.164.66:443
95.255.140.89:443
174.57.150.13:8080
51.38.134.203:8080
211.218.105.101:80
82.79.244.92:80
216.75.37.196:8080
82.146.55.23:7080
192.161.190.171:8080
188.230.134.205:80
187.233.220.93:443
51.77.113.97:8080
192.210.217.94:8080
37.70.131.107:80
120.51.83.89:443
88.247.26.78:80
91.117.131.122:80
172.104.70.207:8080
203.153.216.178:7080
165.100.148.200:443
138.197.140.163:8080
81.82.247.216:80
177.103.240.93:80
187.250.92.82:80
89.215.225.15:80
195.250.143.182:80
189.225.211.171:443
201.196.15.79:990
42.51.192.231:8080
181.167.35.84:80
175.103.239.50:80
181.46.176.38:80
115.179.91.58:80
190.101.87.170:80
95.216.212.157:8080
23.253.207.142:8080
46.17.6.116:8080
50.116.78.109:8080
163.172.97.112:8080
86.98.157.3:80
153.190.41.185:80
85.109.190.235:443
95.9.217.200:8080
85.235.219.74:80
200.41.121.69:443
210.111.160.220:80
119.57.36.54:8080
192.241.220.183:8080
72.27.212.209:8080
83.156.88.159:80
190.146.14.143:443
78.187.204.70:80
142.93.87.198:8080
178.134.1.238:80
158.69.167.246:8080
185.192.75.240:443
98.15.140.226:80
190.171.135.235:80
86.6.123.109:80
58.93.151.148:80
176.58.93.123:80
177.103.201.23:80
67.254.196.78:443
78.46.87.133:8080
181.47.235.26:993
78.186.102.195:80
108.184.9.44:80
221.154.59.110:80
110.142.161.90:80
201.183.251.100:80
186.84.173.136:8080
24.27.122.202:80
212.112.113.235:80
185.244.167.25:443
189.61.200.9:443
92.16.222.156:80
212.129.14.27:8080
86.70.224.211:80
91.117.31.181:80
175.127.140.68:80
24.28.178.71:80
193.33.38.208:443
87.9.181.247:80
113.52.135.33:7080
124.150.175.133:80
200.71.112.158:53
190.161.67.63:80
210.224.65.117:80
58.185.224.18:80
110.2.118.164:80
95.216.207.86:7080
37.46.129.215:8080
41.77.74.214:443
100.38.11.243:80
217.181.139.237:443
190.5.162.204:80
191.100.24.201:50000
37.59.24.25:8080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
wsatwrap.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 wsatwrap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE wsatwrap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies wsatwrap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 wsatwrap.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
wsatwrap.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wsatwrap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wsatwrap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wsatwrap.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
wsatwrap.exepid process 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe 840 wsatwrap.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
48db891916cfe565c080bce304b8a516_JaffaCakes118.exepid process 1112 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
48db891916cfe565c080bce304b8a516_JaffaCakes118.exe48db891916cfe565c080bce304b8a516_JaffaCakes118.exewsatwrap.exewsatwrap.exepid process 3024 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe 1112 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe 2448 wsatwrap.exe 840 wsatwrap.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
48db891916cfe565c080bce304b8a516_JaffaCakes118.exewsatwrap.exedescription pid process target process PID 3024 wrote to memory of 1112 3024 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe PID 3024 wrote to memory of 1112 3024 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe PID 3024 wrote to memory of 1112 3024 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe 48db891916cfe565c080bce304b8a516_JaffaCakes118.exe PID 2448 wrote to memory of 840 2448 wsatwrap.exe wsatwrap.exe PID 2448 wrote to memory of 840 2448 wsatwrap.exe wsatwrap.exe PID 2448 wrote to memory of 840 2448 wsatwrap.exe wsatwrap.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48db891916cfe565c080bce304b8a516_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\48db891916cfe565c080bce304b8a516_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\48db891916cfe565c080bce304b8a516_JaffaCakes118.exe--f65792b52⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1112
-
C:\Windows\SysWOW64\wsatwrap.exe"C:\Windows\SysWOW64\wsatwrap.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\wsatwrap.exe--b8844aab2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:840