Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe
-
Size
428KB
-
MD5
89f99f4791f56d7f8d68a2de9c4ec93b
-
SHA1
bce55faecfeb73bb229602a9afeadb1082b0519e
-
SHA256
aa07db23c6addba5df56820272525090bee9bcf4cda3b3d9ed00f5bdfc674021
-
SHA512
21a241179ba4f309df4ec1779deca8f492b92be5187a5bc1fd580b69b5520e32bc9bee5633f6bfce24b08d0812aba67f450c830151f4731653dfa40320c364f5
-
SSDEEP
6144:zYFNR92mUmlPaSLNV1TvSTpBmwJLpUe6xt0kLec95bTYDbpaa:zKR920lPVzSTptLpUej4xffobpaa
Malware Config
Extracted
emotet
Epoch1
73.167.135.180:80
72.29.55.174:80
63.246.252.234:80
104.236.137.72:8080
172.104.233.225:8080
213.189.36.51:8080
85.234.143.94:8080
200.123.101.90:80
203.25.159.3:8080
134.209.214.126:8080
88.250.223.190:8080
190.186.164.23:80
82.196.15.205:8080
110.143.18.92:80
91.204.163.19:8090
14.160.93.230:80
159.203.204.126:8080
200.58.83.179:80
163.172.40.218:7080
189.173.113.67:443
201.190.133.235:8080
87.118.70.69:8080
178.79.163.131:8080
190.210.184.138:995
125.99.61.162:7080
86.42.166.147:80
91.205.215.57:7080
77.241.53.234:80
46.28.111.142:7080
181.61.143.177:80
109.166.89.91:80
182.48.194.6:8090
50.28.51.143:8080
204.63.252.182:443
139.5.237.27:443
47.187.70.124:443
181.198.203.45:443
149.62.173.247:8080
142.93.114.137:8080
190.97.30.167:990
185.86.148.222:8080
47.146.42.234:80
190.146.131.105:8080
81.213.215.216:50000
201.163.74.202:443
154.120.227.206:8080
200.113.106.18:80
116.48.138.115:80
87.106.77.40:7080
186.68.48.204:443
191.103.76.34:443
181.36.42.205:443
46.101.212.195:8080
121.175.14.59:990
80.85.87.122:8080
144.139.56.105:80
181.135.153.203:443
217.199.160.224:8080
203.130.0.69:80
91.83.93.124:7080
62.75.143.100:7080
5.196.35.138:7080
188.216.24.204:80
68.183.190.199:8080
98.196.49.107:80
82.8.232.51:80
80.29.54.20:80
190.102.226.91:80
190.38.14.52:80
37.132.193.19:8080
62.75.160.178:8080
212.71.237.140:8080
186.15.83.52:8080
183.82.97.25:80
77.55.211.77:8080
138.68.106.4:7080
95.179.195.74:80
2.38.99.79:80
201.213.32.59:80
68.183.170.114:8080
181.231.62.54:80
119.59.124.163:8080
69.163.33.84:8080
190.4.50.26:80
190.17.42.79:80
200.124.225.32:80
104.131.58.132:8080
96.20.84.254:7080
118.200.218.193:443
142.127.57.63:8080
45.79.95.107:443
207.154.204.40:8080
190.195.129.227:8090
109.169.86.13:8080
51.255.165.160:8080
188.14.39.65:443
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
scanmalert.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scanmalert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
scanmalert.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0073000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b\WpadDecisionReason = "1" scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\96-43-0f-be-be-1b scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b\WpadDecisionTime = d0aee1fc02b4da01 scanmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A} scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadDecisionReason = "1" scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadDecisionTime = d0aee1fc02b4da01 scanmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadNetworkName = "Network 3" scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b\WpadDecision = "0" scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections scanmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix scanmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadDecision = "0" scanmalert.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
scanmalert.exepid process 2472 scanmalert.exe 2472 scanmalert.exe 2472 scanmalert.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exepid process 2228 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exescanmalert.exescanmalert.exepid process 2220 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 2228 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 2836 scanmalert.exe 2472 scanmalert.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exescanmalert.exedescription pid process target process PID 2220 wrote to memory of 2228 2220 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe PID 2220 wrote to memory of 2228 2220 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe PID 2220 wrote to memory of 2228 2220 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe PID 2220 wrote to memory of 2228 2220 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe PID 2836 wrote to memory of 2472 2836 scanmalert.exe scanmalert.exe PID 2836 wrote to memory of 2472 2836 scanmalert.exe scanmalert.exe PID 2836 wrote to memory of 2472 2836 scanmalert.exe scanmalert.exe PID 2836 wrote to memory of 2472 2836 scanmalert.exe scanmalert.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe--7a0a68d42⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\scanmalert.exe"C:\Windows\SysWOW64\scanmalert.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\scanmalert.exe--c910d2be2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2220-0-0x0000000000470000-0x0000000000487000-memory.dmpFilesize
92KB
-
memory/2220-5-0x00000000003C0000-0x00000000003D1000-memory.dmpFilesize
68KB
-
memory/2228-6-0x00000000002E0000-0x00000000002F7000-memory.dmpFilesize
92KB
-
memory/2228-11-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/2472-18-0x0000000000B40000-0x0000000000B57000-memory.dmpFilesize
92KB
-
memory/2836-12-0x0000000000390000-0x00000000003A7000-memory.dmpFilesize
92KB