Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 23:44

General

  • Target

    85528033b4b49155dce796e5a2b87fd4_JaffaCakes118.exe

  • Size

    149KB

  • MD5

    85528033b4b49155dce796e5a2b87fd4

  • SHA1

    73aa36a70afdfdfb6ad41f402fd056a88d1ca40d

  • SHA256

    9fb655cde488d0e8fc6063a8c52d5970b6e64bd4eddcc6e0f12ecc84ee45fbe3

  • SHA512

    1e26a5b9747c1aa0681b9a13d449d616df69f412f1ce3d9b63bc8896acc666937034754e3f3f08ef65f8cdfbae38aef384f91be3013dba6e3ef5b1aa7c7b5283

  • SSDEEP

    3072:f8RAZ8zv28USb33t32yiJBnkfPr1tnRBv:fT8zv2ib33cBJNkfj1t7

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

172.104.233.225:8080

70.32.78.99:8080

213.189.36.51:8080

107.170.27.84:443

154.120.227.206:8080

203.25.159.3:8080

80.85.87.122:8080

104.131.58.132:8080

134.209.214.126:8080

46.101.212.195:8080

190.146.131.105:8080

85.234.143.94:8080

181.135.153.203:443

182.48.194.6:8090

69.163.33.84:8080

190.38.14.52:80

88.250.223.190:8080

190.16.101.10:80

186.23.132.93:990

77.55.211.77:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85528033b4b49155dce796e5a2b87fd4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\85528033b4b49155dce796e5a2b87fd4_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Local\Temp\85528033b4b49155dce796e5a2b87fd4_JaffaCakes118.exe
      --37c1039e
      2⤵
      • Suspicious behavior: RenamesItself
      PID:1996
  • C:\Windows\SysWOW64\wowshades.exe
    "C:\Windows\SysWOW64\wowshades.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\SysWOW64\wowshades.exe
      --40f64abb
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4bd2907d2e0afb20e1193e2292377f44_a47c70d8-7adc-4ad7-994f-644a8c84c176
    Filesize

    50B

    MD5

    531d9bc2297289ce9b2144d0e78e77d8

    SHA1

    e69557ab8db39ceea4557d322cab2ce8f4b61888

    SHA256

    b4c777ec60d20aced83997482ad62fa0482734cffa67f4a5bf327f5c15d93ae0

    SHA512

    4bd8bffea131b8b5302ffba45bf651aba71a6235bff78c08b5bad78ebe88794cba13bb6712411764b7c0e821ecca4283862dc8b243eda25f6966c3b6292df636

  • memory/1284-20-0x0000000000E50000-0x0000000000E67000-memory.dmp
    Filesize

    92KB

  • memory/1284-25-0x0000000000E20000-0x0000000000E31000-memory.dmp
    Filesize

    68KB

  • memory/1996-6-0x0000000000560000-0x0000000000577000-memory.dmp
    Filesize

    92KB

  • memory/1996-11-0x0000000000540000-0x0000000000551000-memory.dmp
    Filesize

    68KB

  • memory/1996-26-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/2700-0-0x0000000002080000-0x0000000002097000-memory.dmp
    Filesize

    92KB

  • memory/2700-5-0x00000000005E0000-0x00000000005F1000-memory.dmp
    Filesize

    68KB

  • memory/3616-13-0x00000000005F0000-0x0000000000607000-memory.dmp
    Filesize

    92KB

  • memory/3616-18-0x00000000005D0000-0x00000000005E1000-memory.dmp
    Filesize

    68KB