Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 14:53
Static task
static1
Behavioral task
behavioral1
Sample
72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe
-
Size
392KB
-
MD5
72556988fd1623efd2e90ed87b14e644
-
SHA1
5f02ee8bb59504cc2325427759cf50fb1ea3d1f1
-
SHA256
f2ba7468f0bd780ad29c66bd01d7e2e9780040eacfe736bfa861eb08908cc7be
-
SHA512
1eb14a4e565b9e488652e1bc9051fc1130a3687916cb99fd99201e2b3e2db366c7d6fec939c7064f2c915a9af318c4651941d114ad95ad0da96ced28b36b05a2
-
SSDEEP
6144:vQwl8GGD02Q98eFRDtelT6LXdooCXV5DLvmgB76/Sj2tcm5dqa5/sZS:vr8XD0DxDtyQXS5uPUiz5r5J
Malware Config
Extracted
emotet
Epoch3
50.63.13.135:8080
80.211.32.88:8080
222.239.249.166:443
54.38.94.197:8080
78.46.87.133:8080
191.100.24.201:50000
200.71.112.158:53
212.129.14.27:8080
190.189.79.73:80
176.58.93.123:80
113.52.135.33:7080
161.18.233.114:80
46.17.6.116:8080
192.241.220.183:8080
162.144.46.90:8080
95.216.207.86:7080
95.216.212.157:8080
217.26.163.82:7080
50.116.78.109:8080
142.93.87.198:8080
216.75.37.196:8080
139.162.185.116:443
172.245.13.50:8080
124.150.175.133:80
192.163.221.191:8080
186.66.224.182:990
138.197.140.163:8080
119.159.150.176:443
198.57.217.170:8080
124.150.175.129:8080
182.176.116.139:995
201.196.15.79:990
181.44.166.242:80
157.7.164.178:8081
143.95.101.72:8080
212.112.113.235:80
192.161.190.171:8080
195.226.144.249:80
23.253.207.142:8080
177.226.25.78:80
187.177.155.123:990
189.236.4.214:443
152.169.32.143:8080
51.38.134.203:8080
181.47.235.26:993
172.104.70.207:8080
5.189.148.98:8080
37.59.24.25:8080
163.172.97.112:8080
181.197.108.171:443
46.105.131.68:8080
195.201.56.68:7080
80.93.48.49:7080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
leeltextto.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 leeltextto.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE leeltextto.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies leeltextto.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 leeltextto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
leeltextto.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix leeltextto.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" leeltextto.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" leeltextto.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
leeltextto.exepid process 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe 3216 leeltextto.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exepid process 4920 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exeleeltextto.exeleeltextto.exepid process 1384 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe 4920 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe 1812 leeltextto.exe 3216 leeltextto.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exeleeltextto.exedescription pid process target process PID 1384 wrote to memory of 4920 1384 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe PID 1384 wrote to memory of 4920 1384 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe PID 1384 wrote to memory of 4920 1384 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe 72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe PID 1812 wrote to memory of 3216 1812 leeltextto.exe leeltextto.exe PID 1812 wrote to memory of 3216 1812 leeltextto.exe leeltextto.exe PID 1812 wrote to memory of 3216 1812 leeltextto.exe leeltextto.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe--f05c32392⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:81⤵PID:2740
-
C:\Windows\SysWOW64\leeltextto.exe"C:\Windows\SysWOW64\leeltextto.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\leeltextto.exe--d7b643ba2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\27c0738ed88ae919a1711a9b1324b5a5_d2547453-e731-4fdf-8f92-95f955a44acaFilesize
50B
MD5dd78062e166a7d28ea259d66acf16e7b
SHA1b4799b14e9c354d2f2e954906c8a2ebf1262388d
SHA25602d89b3d50c411c1ad7b4d2555f08620bccc5132adb6c965c043912489cbce8a
SHA5122973d854e2c4288ed671a9b92ad97e161811112800d070bdf6d6f482bfe696cfcc7104ffa2a2102900a9a0fda02d558ecb15744cd5a7fb84b4948b7278edfb49
-
memory/1384-0-0x0000000002260000-0x0000000002277000-memory.dmpFilesize
92KB
-
memory/1384-5-0x0000000000610000-0x0000000000621000-memory.dmpFilesize
68KB
-
memory/1812-12-0x0000000000E70000-0x0000000000E87000-memory.dmpFilesize
92KB
-
memory/3216-19-0x0000000000E40000-0x0000000000E57000-memory.dmpFilesize
92KB
-
memory/4920-6-0x00000000006C0000-0x00000000006D7000-memory.dmpFilesize
92KB
-
memory/4920-18-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB