Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe
-
Size
492KB
-
MD5
4a2047ffb0ef6ffe4d1d103750d6755c
-
SHA1
9cc525e0f01406d322aba1bde4b9eaa3652f684f
-
SHA256
9d46a3813237554f82705957ccb70055bb9141c5679d5aa9c27ebf54b4c14593
-
SHA512
e52d026384bff03bbb9d45443117a400a332a47632aeaf5b9c02cfc3fbca248cd64b3a9916186226b0e6dc3eb9eab1a3b11573b2d3f796e7a3b6ca6bc0fe9510
-
SSDEEP
6144:q4Nu8fk4Q8EykWWokq4s4jXNi/5/k/fMllZGtBaFOg4mUdfEtfF23ETogGjcKEKs:q4NFfk4QYkWWNqwjmkeYOMbjcsa15d
Malware Config
Extracted
emotet
Epoch3
172.90.70.168:443
72.69.99.47:80
24.28.178.71:80
172.105.213.30:80
69.30.205.162:7080
50.63.13.135:8080
192.161.190.171:8080
119.159.150.176:443
98.15.140.226:80
190.189.79.73:80
181.44.166.242:80
198.57.217.170:8080
210.224.65.117:80
82.79.244.92:80
72.27.212.209:8080
212.129.14.27:8080
181.47.235.26:993
182.176.116.139:995
142.93.87.198:8080
190.101.87.170:80
81.82.247.216:80
181.197.108.171:443
83.156.88.159:80
139.162.185.116:443
187.233.220.93:443
192.163.221.191:8080
77.245.12.212:80
45.129.121.222:443
192.241.220.183:8080
124.150.175.129:8080
37.59.24.25:8080
41.218.118.66:80
221.154.59.110:80
110.142.161.90:80
211.218.105.101:80
124.150.175.133:80
60.53.3.153:8080
195.201.56.68:7080
191.100.24.201:50000
83.110.107.243:443
197.90.159.42:80
5.189.148.98:8080
46.17.6.116:8080
81.213.145.45:443
123.142.37.165:80
201.196.15.79:990
152.169.32.143:8080
138.197.140.163:8080
176.58.93.123:80
83.99.211.160:80
115.179.91.58:80
195.191.107.67:80
80.102.124.98:8080
172.245.13.50:8080
177.103.201.23:80
122.11.164.183:80
80.93.48.49:7080
95.216.207.86:7080
186.215.101.106:80
95.216.212.157:8080
103.122.75.218:80
210.111.160.220:80
174.57.150.13:8080
89.215.225.15:80
212.112.113.235:80
186.66.224.182:990
189.61.200.9:443
78.186.102.195:80
188.230.134.205:80
193.33.38.208:443
163.172.97.112:8080
41.77.74.214:443
178.134.1.238:80
172.104.70.207:8080
201.183.251.100:80
85.105.183.228:443
23.253.207.142:8080
78.46.87.133:8080
190.161.67.63:80
143.95.101.72:8080
190.5.162.204:80
46.105.131.68:8080
1.32.54.12:8080
113.52.135.33:7080
216.75.37.196:8080
162.144.46.90:8080
51.38.134.203:8080
187.177.155.123:990
189.225.211.171:443
50.116.78.109:8080
192.210.217.94:8080
200.71.112.158:53
187.250.92.82:80
91.117.31.181:80
157.7.164.178:8081
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
deployspecial.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat deployspecial.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
deployspecial.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix deployspecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 deployspecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE0C9A50-468A-408D-8A2E-DBC6B5B5E09A} deployspecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-b4-3e-50-97-7a\WpadDecision = "0" deployspecial.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections deployspecial.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" deployspecial.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad deployspecial.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE0C9A50-468A-408D-8A2E-DBC6B5B5E09A}\WpadNetworkName = "Network 3" deployspecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-b4-3e-50-97-7a deployspecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings deployspecial.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" deployspecial.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings deployspecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" deployspecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE0C9A50-468A-408D-8A2E-DBC6B5B5E09A}\WpadDecisionReason = "1" deployspecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE0C9A50-468A-408D-8A2E-DBC6B5B5E09A}\WpadDecision = "0" deployspecial.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-b4-3e-50-97-7a\WpadDecisionReason = "1" deployspecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 deployspecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE0C9A50-468A-408D-8A2E-DBC6B5B5E09A}\WpadDecisionTime = b0e380ff67a7da01 deployspecial.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE0C9A50-468A-408D-8A2E-DBC6B5B5E09A}\ce-b4-3e-50-97-7a deployspecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-b4-3e-50-97-7a\WpadDecisionTime = b0e380ff67a7da01 deployspecial.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 deployspecial.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
deployspecial.exepid process 3064 deployspecial.exe 3064 deployspecial.exe 3064 deployspecial.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exepid process 2356 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exedeployspecial.exedeployspecial.exepid process 2844 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 2844 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 2356 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 2356 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 3000 deployspecial.exe 3000 deployspecial.exe 3064 deployspecial.exe 3064 deployspecial.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exedeployspecial.exedescription pid process target process PID 2844 wrote to memory of 2356 2844 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe PID 2844 wrote to memory of 2356 2844 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe PID 2844 wrote to memory of 2356 2844 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe PID 2844 wrote to memory of 2356 2844 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe 4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe PID 3000 wrote to memory of 3064 3000 deployspecial.exe deployspecial.exe PID 3000 wrote to memory of 3064 3000 deployspecial.exe deployspecial.exe PID 3000 wrote to memory of 3064 3000 deployspecial.exe deployspecial.exe PID 3000 wrote to memory of 3064 3000 deployspecial.exe deployspecial.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\4a2047ffb0ef6ffe4d1d103750d6755c_JaffaCakes118.exe--ee3ddbd72⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2356
-
C:\Windows\SysWOW64\deployspecial.exe"C:\Windows\SysWOW64\deployspecial.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\deployspecial.exe--2b65f5282⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3064