Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 11:47

General

  • Target

    4ae92949161b313c6f5c846be759f221_JaffaCakes118.exe

  • Size

    736KB

  • MD5

    4ae92949161b313c6f5c846be759f221

  • SHA1

    89d4b292435fe741ace71394336734f9385b5832

  • SHA256

    93ee115623bdef096505ed9e768fd246e0b787b20e689365a80da73cb607b3e8

  • SHA512

    a390d984c2fbab3ce4363f37def4f3b652cee5dab2f97511c4aee567e413ec48cab4f98672e33ec6cffca650dcc90a280b29bb4308bdb31813d56430d25bc51d

  • SSDEEP

    12288:OxpXle/CdHI25T6HmRIteIPtdjGemV0dkEu5RVYWfrLReTmxvS6yESRsooCxUqK3:AIaEmWteI1XmV06VRhfrL/a6yESRsozc

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

75.139.38.211:80

74.207.230.187:8080

115.79.195.246:80

46.105.131.68:8080

78.189.111.208:443

50.116.78.109:8080

105.209.239.55:80

157.7.164.178:8081

143.95.101.72:8080

181.113.229.139:443

45.118.136.92:8080

87.252.100.28:80

179.5.118.12:80

211.20.154.102:80

216.75.37.196:8080

46.32.229.152:8080

74.208.173.91:8080

185.142.236.163:443

37.70.131.107:80

41.185.29.128:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ae92949161b313c6f5c846be759f221_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4ae92949161b313c6f5c846be759f221_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1648-0-0x0000000002170000-0x000000000217C000-memory.dmp

    Filesize

    48KB

  • memory/1648-4-0x0000000002160000-0x0000000002169000-memory.dmp

    Filesize

    36KB

  • memory/1648-5-0x0000000002170000-0x000000000217C000-memory.dmp

    Filesize

    48KB

  • memory/1648-6-0x0000000002150000-0x0000000002158000-memory.dmp

    Filesize

    32KB

  • memory/1648-7-0x0000000002700000-0x00000000027F1000-memory.dmp

    Filesize

    964KB