Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
-
Size
416KB
-
MD5
5b0af3dce15d92a5a7b8a37de83eeaa7
-
SHA1
6dcd0197106aad03ebb99fe5b48e07030eee313c
-
SHA256
75d39cde8311668ffaea4a2211eb81690af2cfb39e8407dd73fdac3e1c7cc777
-
SHA512
6c02ee833a5c348ebf81d00a27de74b727055636da4fb8cda0fbcc7f81d8627731c7af22842cb80b061f233d2f29791b1c1342c95d6fce611c7f5d28a7a4be61
-
SSDEEP
6144:BL0ofRj4RzQF/zpWDdnXrZ+S7fSShT7bh1XhtGpmjc95bTYDbpaX:BLVRsRzQDWDxZ+gf17bh1XEm4ffobpaX
Malware Config
Extracted
emotet
Epoch3
178.153.91.22:80
92.17.138.248:80
114.183.140.94:80
172.105.213.30:80
69.30.205.162:7080
50.63.13.135:8080
192.161.190.171:8080
210.111.160.220:80
181.44.166.242:80
41.218.118.66:80
46.17.6.116:8080
142.93.87.198:8080
113.52.135.33:7080
187.177.155.123:990
172.90.70.168:443
198.57.217.170:8080
123.142.37.165:80
95.216.212.157:8080
187.250.92.82:80
216.75.37.196:8080
157.7.164.178:8081
51.38.134.203:8080
72.27.212.209:8080
201.196.15.79:990
122.11.164.183:80
80.93.48.49:7080
85.105.183.228:443
46.105.131.68:8080
195.201.56.68:7080
192.210.217.94:8080
81.82.247.216:80
177.103.201.23:80
192.163.221.191:8080
201.183.251.100:80
78.46.87.133:8080
83.156.88.159:80
190.101.87.170:80
163.172.97.112:8080
172.104.70.207:8080
82.79.244.92:80
190.5.162.204:80
103.122.75.218:80
23.253.207.142:8080
182.176.116.139:995
119.159.150.176:443
60.53.3.153:8080
72.69.99.47:80
212.129.14.27:8080
5.189.148.98:8080
95.216.207.86:7080
124.150.175.129:8080
181.47.235.26:993
189.236.4.214:443
45.129.121.222:443
200.71.112.158:53
197.90.159.42:80
143.95.101.72:8080
189.180.105.125:443
139.162.185.116:443
191.100.24.201:50000
83.99.211.160:80
186.215.101.106:80
195.191.107.67:80
192.241.220.183:8080
161.18.233.114:80
172.245.13.50:8080
50.116.78.109:8080
138.197.140.163:8080
152.169.32.143:8080
190.189.79.73:80
186.66.224.182:990
193.33.38.208:443
212.112.113.235:80
83.110.107.243:443
89.215.225.15:80
211.218.105.101:80
124.150.175.133:80
181.197.108.171:443
176.58.93.123:80
81.213.145.45:443
162.144.46.90:8080
37.59.24.25:8080
188.230.134.205:80
187.233.220.93:443
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mailboxxcl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mailboxxcl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mailboxxcl.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0076000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mailboxxcl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51\WpadDecisionReason = "1" mailboxxcl.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51\WpadDecisionTime = 70a31bf121aada01 mailboxxcl.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mailboxxcl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7} mailboxxcl.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadDecisionTime = 70a31bf121aada01 mailboxxcl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51 mailboxxcl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mailboxxcl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mailboxxcl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mailboxxcl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51\WpadDecision = "0" mailboxxcl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\8e-44-fa-05-dd-51 mailboxxcl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mailboxxcl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mailboxxcl.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mailboxxcl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mailboxxcl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadDecisionReason = "1" mailboxxcl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadDecision = "0" mailboxxcl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadNetworkName = "Network 3" mailboxxcl.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2512 mailboxxcl.exe 2512 mailboxxcl.exe 2512 mailboxxcl.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2864 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1688 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 2864 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 2616 mailboxxcl.exe 2512 mailboxxcl.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2864 1688 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2864 1688 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2864 1688 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2864 1688 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 28 PID 2616 wrote to memory of 2512 2616 mailboxxcl.exe 30 PID 2616 wrote to memory of 2512 2616 mailboxxcl.exe 30 PID 2616 wrote to memory of 2512 2616 mailboxxcl.exe 30 PID 2616 wrote to memory of 2512 2616 mailboxxcl.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe--ba70c3002⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Windows\SysWOW64\mailboxxcl.exe"C:\Windows\SysWOW64\mailboxxcl.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\mailboxxcl.exe--2760295f2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2512
-