Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 04:00

General

  • Target

    4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe

  • Size

    232KB

  • MD5

    4e57efc86bd3ffbba00f7b48ecad40b0

  • SHA1

    109313e76173a8e6d3ad3f528f0d5fae8c8f29c0

  • SHA256

    4ae82c978e89401819473fd0ac2e19c967619815cb81d26acdc5cce4ed19cbb4

  • SHA512

    edfa749c8e2d25c3aa3fd732d454b9325f8e9a86ee56292b43161e551c627a939f0b544940551e884210b2d5a6b86545fc7758e32a1a216176ed906dd01abf02

  • SSDEEP

    6144:k6Ee9/iQ+I/Ezt2n0ienGSceOpvVa1wwmYR5U7N:Z/6Q+I/E9gvrL9

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

190.16.101.10:80

190.217.1.149:80

45.56.122.75:80

85.25.92.96:8080

94.177.253.126:80

187.188.166.192:80

192.241.220.183:8080

189.132.130.111:8080

186.109.91.136:80

186.92.11.143:8080

203.99.182.135:443

91.109.5.28:8080

70.32.94.58:8080

70.45.30.28:80

203.99.187.137:443

190.228.212.165:50000

51.38.134.203:8080

203.99.188.11:443

184.82.233.15:80

154.120.227.206:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 25 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe
      --96a0d3cf
      2⤵
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:108
  • C:\Windows\SysWOW64\langsripple.exe
    "C:\Windows\SysWOW64\langsripple.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\langsripple.exe
      --2331fcab
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/108-6-0x00000000002F0000-0x0000000000307000-memory.dmp

    Filesize

    92KB

  • memory/108-16-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2320-0-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

  • memory/2320-5-0x00000000002D0000-0x00000000002E1000-memory.dmp

    Filesize

    68KB

  • memory/2404-11-0x00000000006F0000-0x0000000000707000-memory.dmp

    Filesize

    92KB

  • memory/2668-17-0x0000000000B10000-0x0000000000B27000-memory.dmp

    Filesize

    92KB