Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 11:40

General

  • Target

    4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe

  • Size

    544KB

  • MD5

    4ae1bafe6820163cb0d9cc073492950c

  • SHA1

    e586d422164a8593bff505ad0b078dcae20183dc

  • SHA256

    81f6d01e79b1f7913b1703a4d7d52319d469b04b84d392a29d3160ebdb2232d2

  • SHA512

    c089e1f1d7828b6923e29fa0ed712bda7ea18a2439e12524b7fca78c2ab9113f060c3cc794ab46f0058bfc6661132129cecd964c2317418d512a03dfe13735ec

  • SSDEEP

    6144:LTp3XYyIMYUTgOBeWoavwiU0yV5C2222222222227pUnwXE1:LTp3XYBUEOBeGwiUZACr1

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

82.239.200.118:80

185.81.158.15:8080

51.255.15.193:7080

85.25.207.108:8080

107.161.30.122:8080

113.161.148.81:80

74.208.173.91:8080

139.59.12.63:8080

188.0.135.237:80

2.144.244.204:443

87.106.231.60:8080

181.137.229.1:80

173.94.215.84:80

175.29.183.2:80

37.46.129.215:8080

86.57.216.23:80

181.126.54.234:80

190.212.140.6:80

46.105.131.68:8080

190.190.15.20:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe
      "C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe

    Filesize

    544KB

    MD5

    4ae1bafe6820163cb0d9cc073492950c

    SHA1

    e586d422164a8593bff505ad0b078dcae20183dc

    SHA256

    81f6d01e79b1f7913b1703a4d7d52319d469b04b84d392a29d3160ebdb2232d2

    SHA512

    c089e1f1d7828b6923e29fa0ed712bda7ea18a2439e12524b7fca78c2ab9113f060c3cc794ab46f0058bfc6661132129cecd964c2317418d512a03dfe13735ec

  • memory/1688-7-0x0000000000760000-0x000000000076C000-memory.dmp

    Filesize

    48KB

  • memory/1688-11-0x0000000000760000-0x000000000076C000-memory.dmp

    Filesize

    48KB

  • memory/3320-0-0x00000000023E0000-0x00000000023EC000-memory.dmp

    Filesize

    48KB

  • memory/3320-4-0x00000000023D0000-0x00000000023D9000-memory.dmp

    Filesize

    36KB

  • memory/3320-6-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB