Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 05:17

General

  • Target

    6620336a6a602d98076733fe042d154d_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    6620336a6a602d98076733fe042d154d

  • SHA1

    8c4163fc85be743836a407a9e262aac40880a92a

  • SHA256

    95f33ec8115346b3cc2206125b265640c9df439275d4694b05de7d61c4c3cedb

  • SHA512

    df94df992bec3b37eb745003b911e9c048036cda3f8237a15200c78096fb9f4c264c3cf1a1c566c6d9bf40f9b6c76c2dbde789ecd9a9cafa6be72b066ef37af8

  • SSDEEP

    6144:VbXa0LFTuJQ3/j3zgZELr1VBNj082BJr3k3xUOVs3DVf81GoyHn7kOpN50IKOOqG:Vu0RTBPjkK/jH2fIGOVoDJLvfOqsUFY

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:2728
  • C:\Windows\SysWOW64\controlmath.exe
    "C:\Windows\SysWOW64\controlmath.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\controlmath.exe
      "C:\Windows\SysWOW64\controlmath.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1984-0-0x0000000000280000-0x0000000000299000-memory.dmp

    Filesize

    100KB

  • memory/1984-6-0x00000000002B0000-0x00000000002C0000-memory.dmp

    Filesize

    64KB

  • memory/1984-5-0x0000000000260000-0x0000000000279000-memory.dmp

    Filesize

    100KB

  • memory/1984-4-0x0000000000280000-0x0000000000299000-memory.dmp

    Filesize

    100KB

  • memory/1984-14-0x0000000000260000-0x0000000000279000-memory.dmp

    Filesize

    100KB

  • memory/2276-15-0x0000000000290000-0x00000000002A9000-memory.dmp

    Filesize

    100KB

  • memory/2276-29-0x00000000001F0000-0x0000000000209000-memory.dmp

    Filesize

    100KB

  • memory/2276-20-0x00000000001F0000-0x0000000000209000-memory.dmp

    Filesize

    100KB

  • memory/2276-21-0x00000000002B0000-0x00000000002C0000-memory.dmp

    Filesize

    64KB

  • memory/2276-19-0x0000000000290000-0x00000000002A9000-memory.dmp

    Filesize

    100KB

  • memory/2728-12-0x0000000000310000-0x0000000000329000-memory.dmp

    Filesize

    100KB

  • memory/2728-7-0x0000000000330000-0x0000000000349000-memory.dmp

    Filesize

    100KB

  • memory/2728-11-0x0000000000330000-0x0000000000349000-memory.dmp

    Filesize

    100KB

  • memory/2728-13-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

  • memory/2728-31-0x0000000000310000-0x0000000000329000-memory.dmp

    Filesize

    100KB

  • memory/2728-30-0x0000000000400000-0x0000000000529000-memory.dmp

    Filesize

    1.2MB

  • memory/2792-28-0x00000000002A0000-0x00000000002B0000-memory.dmp

    Filesize

    64KB

  • memory/2792-27-0x0000000000260000-0x0000000000279000-memory.dmp

    Filesize

    100KB

  • memory/2792-26-0x0000000000280000-0x0000000000299000-memory.dmp

    Filesize

    100KB

  • memory/2792-22-0x0000000000280000-0x0000000000299000-memory.dmp

    Filesize

    100KB

  • memory/2792-32-0x0000000000260000-0x0000000000279000-memory.dmp

    Filesize

    100KB