Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 04:00

General

  • Target

    4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe

  • Size

    232KB

  • MD5

    4e57efc86bd3ffbba00f7b48ecad40b0

  • SHA1

    109313e76173a8e6d3ad3f528f0d5fae8c8f29c0

  • SHA256

    4ae82c978e89401819473fd0ac2e19c967619815cb81d26acdc5cce4ed19cbb4

  • SHA512

    edfa749c8e2d25c3aa3fd732d454b9325f8e9a86ee56292b43161e551c627a939f0b544940551e884210b2d5a6b86545fc7758e32a1a216176ed906dd01abf02

  • SSDEEP

    6144:k6Ee9/iQ+I/Ezt2n0ienGSceOpvVa1wwmYR5U7N:Z/6Q+I/E9gvrL9

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

190.16.101.10:80

190.217.1.149:80

45.56.122.75:80

85.25.92.96:8080

94.177.253.126:80

187.188.166.192:80

192.241.220.183:8080

189.132.130.111:8080

186.109.91.136:80

186.92.11.143:8080

203.99.182.135:443

91.109.5.28:8080

70.32.94.58:8080

70.45.30.28:80

203.99.187.137:443

190.228.212.165:50000

51.38.134.203:8080

203.99.188.11:443

184.82.233.15:80

154.120.227.206:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Local\Temp\4e57efc86bd3ffbba00f7b48ecad40b0_JaffaCakes118.exe
      --96a0d3cf
      2⤵
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:2568
  • C:\Windows\SysWOW64\loadabuilder.exe
    "C:\Windows\SysWOW64\loadabuilder.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\loadabuilder.exe
      --d4954212
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\e067bc2560d38144183d820119c466a0_39fbc0df-d496-4ae0-b1d7-bde60e245d90

    Filesize

    50B

    MD5

    c6b4ed23b646d09be518590697d71aae

    SHA1

    cbcead300f943e7512750e9bd85af4d8df3eecea

    SHA256

    6c756bd7a9b936a087c0f1df8f46cc17de4698b2cec67e2a28bfe589bc656cb1

    SHA512

    24306f7480814a03901475af646a04df9d9f912201c51643d33584a808db928060a72ee634e5ee1649117c9f4c8605fea495aabba51111533d9f98fe265d6c9b

  • memory/1584-19-0x0000000000DD0000-0x0000000000DE7000-memory.dmp

    Filesize

    92KB

  • memory/2536-12-0x0000000000E20000-0x0000000000E37000-memory.dmp

    Filesize

    92KB

  • memory/2568-6-0x0000000002220000-0x0000000002237000-memory.dmp

    Filesize

    92KB

  • memory/2568-17-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3108-1-0x0000000000710000-0x0000000000727000-memory.dmp

    Filesize

    92KB

  • memory/3108-5-0x00000000006F0000-0x0000000000701000-memory.dmp

    Filesize

    68KB