Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 08:48
Static task
static1
Behavioral task
behavioral1
Sample
789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe
-
Size
412KB
-
MD5
789276feab6849023a6c4b6a11861ea8
-
SHA1
050647db9bc42a11ccfb2e0b130e875750c2b89b
-
SHA256
2432483d736e2ecf5e4e6c4a9289abee9c8f32250b5e26dc8733a76f7a144575
-
SHA512
65825be8a021eb55abf2017fbd537391942d0d0d4841eb4dbb33a9b399134f86df93c4034b1d23c8cc94cadf6b468ee335fa27ae0ddb2102326b135aa60c86f5
-
SSDEEP
6144:EvF5YL75Xe42xSCSuwxrSFfsezX96mmK7HU7msXI1jA3d/rv1eK2X:EvF5m7Je42xj3ISX9JHU7U0rIKs
Malware Config
Extracted
emotet
Epoch1
186.92.11.143:8080
200.30.227.135:80
178.249.187.151:8080
81.169.140.14:443
94.177.183.28:8080
89.188.124.145:443
185.86.148.222:8080
82.196.15.205:8080
77.245.101.134:8080
217.199.160.224:8080
76.69.29.42:80
181.59.253.20:21
46.28.111.142:7080
149.62.173.247:8080
200.58.83.179:80
190.230.60.129:80
181.36.42.205:443
190.97.30.167:990
46.29.183.211:8080
87.106.77.40:7080
212.71.237.140:8080
151.80.142.33:80
185.187.198.10:8080
190.146.131.105:8080
5.196.35.138:7080
119.59.124.163:8080
190.10.194.42:8080
183.82.97.25:80
79.127.57.43:80
203.25.159.3:8080
69.163.33.84:8080
45.79.95.107:443
178.79.163.131:8080
46.41.151.103:8080
91.204.163.19:8090
62.75.160.178:8080
200.113.106.18:80
46.101.212.195:8080
144.139.158.155:80
50.28.51.143:8080
200.58.171.51:80
190.230.60.129:8080
91.205.215.57:7080
80.85.87.122:8080
14.160.93.230:80
62.75.143.100:7080
200.57.102.71:8443
94.183.71.206:7080
138.68.106.4:7080
79.143.182.254:8080
46.163.144.228:80
79.129.0.173:8080
68.183.170.114:8080
86.42.166.147:80
190.104.253.234:990
190.85.152.186:8080
170.84.133.72:7080
201.163.74.202:443
159.203.204.126:8080
186.68.141.218:80
51.15.8.192:8080
186.1.41.111:443
109.169.86.13:8080
181.16.17.210:443
119.159.150.176:443
181.135.153.203:443
139.5.237.27:443
91.83.93.124:7080
187.193.89.61:50000
77.55.211.77:8080
181.44.166.242:80
186.23.132.93:990
181.51.251.236:443
68.183.190.199:8080
104.131.58.132:8080
186.0.95.172:80
190.1.37.125:443
190.38.14.52:80
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
startedenglish.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat startedenglish.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
startedenglish.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections startedenglish.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 startedenglish.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix startedenglish.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad startedenglish.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 startedenglish.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadDecisionTime = e08fc3af12b0da01 startedenglish.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60\WpadDecisionTime = e08fc3af12b0da01 startedenglish.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings startedenglish.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" startedenglish.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings startedenglish.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadDecision = "0" startedenglish.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadNetworkName = "Network 3" startedenglish.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60 startedenglish.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60\WpadDecisionReason = "1" startedenglish.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 startedenglish.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B} startedenglish.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadDecisionReason = "1" startedenglish.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60\WpadDecision = "0" startedenglish.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" startedenglish.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" startedenglish.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\4e-64-5f-e0-ef-60 startedenglish.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
startedenglish.exepid process 2592 startedenglish.exe 2592 startedenglish.exe 2592 startedenglish.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exepid process 2180 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exestartedenglish.exestartedenglish.exepid process 2084 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 2084 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 2180 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 2180 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 2924 startedenglish.exe 2924 startedenglish.exe 2592 startedenglish.exe 2592 startedenglish.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exestartedenglish.exedescription pid process target process PID 2084 wrote to memory of 2180 2084 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe PID 2084 wrote to memory of 2180 2084 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe PID 2084 wrote to memory of 2180 2084 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe PID 2084 wrote to memory of 2180 2084 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe 789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe PID 2924 wrote to memory of 2592 2924 startedenglish.exe startedenglish.exe PID 2924 wrote to memory of 2592 2924 startedenglish.exe startedenglish.exe PID 2924 wrote to memory of 2592 2924 startedenglish.exe startedenglish.exe PID 2924 wrote to memory of 2592 2924 startedenglish.exe startedenglish.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\789276feab6849023a6c4b6a11861ea8_JaffaCakes118.exe--76afc74b2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2180
-
C:\Windows\SysWOW64\startedenglish.exe"C:\Windows\SysWOW64\startedenglish.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\startedenglish.exe--bda023c12⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2084-0-0x0000000000360000-0x0000000000376000-memory.dmpFilesize
88KB
-
memory/2084-5-0x0000000000350000-0x0000000000360000-memory.dmpFilesize
64KB
-
memory/2180-6-0x0000000000240000-0x0000000000256000-memory.dmpFilesize
88KB
-
memory/2180-16-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2592-17-0x00000000001E0000-0x00000000001F6000-memory.dmpFilesize
88KB
-
memory/2924-11-0x0000000000530000-0x0000000000546000-memory.dmpFilesize
88KB