Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 11:10
Static task
static1
Behavioral task
behavioral1
Sample
631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
-
Size
551KB
-
MD5
631545bb910def12263fbd08ad675d6e
-
SHA1
685fe2a44c4d2d803ec605b1e03ddec3e65e2a19
-
SHA256
2091a24d7e03980bcd3f18b5a71ca87a93e4f4382810de2ad817086c626d3505
-
SHA512
fb38ac528a5f53ccb2dde9310f6166a5560e2d4089f2106f48983a49efa9b2ae6574f5385f238aa08b9355a5180004548b210a2459d6b191185b4b0cd7b7fe9e
-
SSDEEP
12288:JjVeneMEuEB2ZVirlydPUGUuhshCK+NeFxAri6If0LecJDFqs:VcneFJB2irl6UuhzK+NeFxAri6IfmJJq
Malware Config
Extracted
emotet
Epoch1
111.119.233.65:80
190.210.184.138:995
51.255.165.160:8080
45.56.79.249:443
163.172.40.218:7080
91.205.215.57:7080
68.183.170.114:8080
190.217.1.149:80
62.75.160.178:8080
200.113.106.18:80
5.196.35.138:7080
89.188.124.145:443
186.23.132.93:990
51.15.8.192:8080
190.38.14.52:80
217.199.160.224:8080
207.154.204.40:8080
142.93.114.137:8080
94.183.71.206:7080
190.104.253.234:990
212.71.237.140:8080
201.163.74.202:443
201.190.133.235:8080
186.15.57.7:8080
86.42.166.147:80
82.196.15.205:8080
186.68.141.218:80
46.28.111.142:7080
138.68.106.4:7080
190.10.194.42:8080
104.131.58.132:8080
190.96.118.15:443
190.230.60.129:80
109.169.86.13:8080
181.44.166.242:80
46.41.151.103:8080
144.139.158.155:80
183.82.97.25:80
149.62.173.247:8080
81.169.140.14:443
159.203.204.126:8080
77.245.101.134:8080
46.29.183.211:8080
68.183.190.199:8080
220.241.38.226:50000
45.79.95.107:443
200.58.83.179:80
190.97.30.167:990
178.79.163.131:8080
190.120.104.21:443
77.55.211.77:8080
201.213.32.59:80
79.143.182.254:8080
14.160.93.230:80
178.249.187.151:8080
190.182.161.7:8080
181.59.253.20:21
139.5.237.27:443
154.120.227.206:8080
91.83.93.124:7080
181.16.17.210:443
80.85.87.122:8080
119.59.124.163:8080
190.230.60.129:8080
181.135.153.203:443
185.86.148.222:8080
46.101.212.195:8080
201.184.41.228:990
50.28.51.143:8080
86.6.188.121:80
62.75.143.100:7080
81.213.215.216:50000
181.36.42.205:443
186.1.41.111:443
203.25.159.3:8080
79.127.57.43:80
69.163.33.84:8080
41.75.135.93:7080
190.146.131.105:8080
87.106.77.40:7080
91.204.163.19:8090
94.177.183.28:8080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
pollerpdeft.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 pollerpdeft.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE pollerpdeft.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies pollerpdeft.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 pollerpdeft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
pollerpdeft.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix pollerpdeft.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" pollerpdeft.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" pollerpdeft.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
pollerpdeft.exepid process 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
631545bb910def12263fbd08ad675d6e_JaffaCakes118.exepid process 3924 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe631545bb910def12263fbd08ad675d6e_JaffaCakes118.exepollerpdeft.exepollerpdeft.exepid process 4916 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe 4916 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe 3924 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe 3924 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe 3248 pollerpdeft.exe 3248 pollerpdeft.exe 2836 pollerpdeft.exe 2836 pollerpdeft.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
631545bb910def12263fbd08ad675d6e_JaffaCakes118.exepollerpdeft.exedescription pid process target process PID 4916 wrote to memory of 3924 4916 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe PID 4916 wrote to memory of 3924 4916 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe PID 4916 wrote to memory of 3924 4916 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe PID 3248 wrote to memory of 2836 3248 pollerpdeft.exe pollerpdeft.exe PID 3248 wrote to memory of 2836 3248 pollerpdeft.exe pollerpdeft.exe PID 3248 wrote to memory of 2836 3248 pollerpdeft.exe pollerpdeft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe--1971609f2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:3924
-
C:\Windows\SysWOW64\pollerpdeft.exe"C:\Windows\SysWOW64\pollerpdeft.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\pollerpdeft.exe--1847e9e92⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\01edac8cae020cd42786e051ebe37b67_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9fFilesize
50B
MD55f22af36aff2e43cacf9a56ba4166900
SHA1914ede992f5edd5523a3a127a88f7bca60c69665
SHA256e0671a7dbf4fca7d937ff1300471c5823a57786710faba9f85daf9e843281e3a
SHA512f7fd666c6dcdae2bf235bb2b00791cf00519579e3181e5e3fd67e70c9a4027d48335b6498f6116efa5e513b7750b0eebeb484a63555d277939923bb48d4f3bc8
-
memory/2836-19-0x0000000000E60000-0x0000000000E77000-memory.dmpFilesize
92KB
-
memory/3248-12-0x0000000000EC0000-0x0000000000ED7000-memory.dmpFilesize
92KB
-
memory/3924-6-0x00000000021E0000-0x00000000021F7000-memory.dmpFilesize
92KB
-
memory/3924-17-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/4916-5-0x0000000002160000-0x0000000002171000-memory.dmpFilesize
68KB
-
memory/4916-0-0x0000000003C50000-0x0000000003C67000-memory.dmpFilesize
92KB