Analysis Overview
SHA256
81f6d01e79b1f7913b1703a4d7d52319d469b04b84d392a29d3160ebdb2232d2
Threat Level: Known bad
The file 4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 11:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 11:40
Reported
2024-05-16 11:43
Platform
win7-20240220-en
Max time kernel
128s
Max time network
138s
Command Line
Signatures
Emotet
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 82.239.200.118:80 | tcp | |
| FR | 82.239.200.118:80 | tcp | |
| FR | 185.81.158.15:8080 | tcp | |
| FR | 185.81.158.15:8080 | tcp | |
| FR | 51.255.15.193:7080 | tcp | |
| FR | 51.255.15.193:7080 | tcp | |
| FR | 85.25.207.108:8080 | tcp | |
| FR | 85.25.207.108:8080 | tcp |
Files
memory/1684-0-0x0000000000340000-0x000000000034C000-memory.dmp
memory/1684-4-0x00000000002E0000-0x00000000002E9000-memory.dmp
memory/1684-5-0x0000000000340000-0x000000000034C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 11:40
Reported
2024-05-16 11:43
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Emotet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3320 wrote to memory of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe |
| PID 3320 wrote to memory of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe |
| PID 3320 wrote to memory of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe | C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe"
C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe
"C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| FR | 82.239.200.118:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FR | 185.81.158.15:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FR | 51.255.15.193:7080 | tcp | |
| FR | 85.25.207.108:8080 | tcp | |
| US | 107.161.30.122:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| VN | 113.161.148.81:80 | tcp | |
| US | 74.208.173.91:8080 | tcp | |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
Files
memory/3320-0-0x00000000023E0000-0x00000000023EC000-memory.dmp
memory/3320-4-0x00000000023D0000-0x00000000023D9000-memory.dmp
C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe
| MD5 | 4ae1bafe6820163cb0d9cc073492950c |
| SHA1 | e586d422164a8593bff505ad0b078dcae20183dc |
| SHA256 | 81f6d01e79b1f7913b1703a4d7d52319d469b04b84d392a29d3160ebdb2232d2 |
| SHA512 | c089e1f1d7828b6923e29fa0ed712bda7ea18a2439e12524b7fca78c2ab9113f060c3cc794ab46f0058bfc6661132129cecd964c2317418d512a03dfe13735ec |
memory/3320-6-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1688-7-0x0000000000760000-0x000000000076C000-memory.dmp
memory/1688-11-0x0000000000760000-0x000000000076C000-memory.dmp