Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe
-
Size
428KB
-
MD5
89f99f4791f56d7f8d68a2de9c4ec93b
-
SHA1
bce55faecfeb73bb229602a9afeadb1082b0519e
-
SHA256
aa07db23c6addba5df56820272525090bee9bcf4cda3b3d9ed00f5bdfc674021
-
SHA512
21a241179ba4f309df4ec1779deca8f492b92be5187a5bc1fd580b69b5520e32bc9bee5633f6bfce24b08d0812aba67f450c830151f4731653dfa40320c364f5
-
SSDEEP
6144:zYFNR92mUmlPaSLNV1TvSTpBmwJLpUe6xt0kLec95bTYDbpaa:zKR920lPVzSTptLpUej4xffobpaa
Malware Config
Extracted
emotet
Epoch1
73.167.135.180:80
72.29.55.174:80
63.246.252.234:80
104.236.137.72:8080
172.104.233.225:8080
213.189.36.51:8080
85.234.143.94:8080
200.123.101.90:80
203.25.159.3:8080
134.209.214.126:8080
88.250.223.190:8080
190.186.164.23:80
82.196.15.205:8080
110.143.18.92:80
91.204.163.19:8090
14.160.93.230:80
159.203.204.126:8080
200.58.83.179:80
163.172.40.218:7080
189.173.113.67:443
201.190.133.235:8080
87.118.70.69:8080
178.79.163.131:8080
190.210.184.138:995
125.99.61.162:7080
86.42.166.147:80
91.205.215.57:7080
77.241.53.234:80
46.28.111.142:7080
181.61.143.177:80
109.166.89.91:80
182.48.194.6:8090
50.28.51.143:8080
204.63.252.182:443
139.5.237.27:443
47.187.70.124:443
181.198.203.45:443
149.62.173.247:8080
142.93.114.137:8080
190.97.30.167:990
185.86.148.222:8080
47.146.42.234:80
190.146.131.105:8080
81.213.215.216:50000
201.163.74.202:443
154.120.227.206:8080
200.113.106.18:80
116.48.138.115:80
87.106.77.40:7080
186.68.48.204:443
191.103.76.34:443
181.36.42.205:443
46.101.212.195:8080
121.175.14.59:990
80.85.87.122:8080
144.139.56.105:80
181.135.153.203:443
217.199.160.224:8080
203.130.0.69:80
91.83.93.124:7080
62.75.143.100:7080
5.196.35.138:7080
188.216.24.204:80
68.183.190.199:8080
98.196.49.107:80
82.8.232.51:80
80.29.54.20:80
190.102.226.91:80
190.38.14.52:80
37.132.193.19:8080
62.75.160.178:8080
212.71.237.140:8080
186.15.83.52:8080
183.82.97.25:80
77.55.211.77:8080
138.68.106.4:7080
95.179.195.74:80
2.38.99.79:80
201.213.32.59:80
68.183.170.114:8080
181.231.62.54:80
119.59.124.163:8080
69.163.33.84:8080
190.4.50.26:80
190.17.42.79:80
200.124.225.32:80
104.131.58.132:8080
96.20.84.254:7080
118.200.218.193:443
142.127.57.63:8080
45.79.95.107:443
207.154.204.40:8080
190.195.129.227:8090
109.169.86.13:8080
51.255.165.160:8080
188.14.39.65:443
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
wrapsitka.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 wrapsitka.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE wrapsitka.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies wrapsitka.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 wrapsitka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
wrapsitka.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wrapsitka.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wrapsitka.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wrapsitka.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
wrapsitka.exepid process 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe 3260 wrapsitka.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exepid process 3732 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exewrapsitka.exewrapsitka.exepid process 2024 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 3732 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 1204 wrapsitka.exe 3260 wrapsitka.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exewrapsitka.exedescription pid process target process PID 2024 wrote to memory of 3732 2024 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe PID 2024 wrote to memory of 3732 2024 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe PID 2024 wrote to memory of 3732 2024 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe 89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe PID 1204 wrote to memory of 3260 1204 wrapsitka.exe wrapsitka.exe PID 1204 wrote to memory of 3260 1204 wrapsitka.exe wrapsitka.exe PID 1204 wrote to memory of 3260 1204 wrapsitka.exe wrapsitka.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89f99f4791f56d7f8d68a2de9c4ec93b_JaffaCakes118.exe--7a0a68d42⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\wrapsitka.exe"C:\Windows\SysWOW64\wrapsitka.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wrapsitka.exe--cee64ca02⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5ee9f8cddb3ff188c6a99dcf99203008_41e50f4a-4a76-42e1-a3df-51306e426307Filesize
50B
MD5aaec799e344163d0d188e0590697cb1e
SHA194aa3e9674f1335e1cdf6dc7b7c7cdbf5c97c65d
SHA256d627b40c75603106e24782fdb852c180722ae6d472bdb60367bf2708f28f5454
SHA512285e78b5ddc3049b2b167e0c785f410260eecdbb745489e3e5984e118c627e97b7499f8a937a4a6d5da4fe046fb220fc70fd5abc583083909fd005b1ee4f03b0
-
memory/1204-13-0x0000000000E40000-0x0000000000E57000-memory.dmpFilesize
92KB
-
memory/2024-0-0x0000000000700000-0x0000000000717000-memory.dmpFilesize
92KB
-
memory/2024-5-0x00000000006E0000-0x00000000006F1000-memory.dmpFilesize
68KB
-
memory/3260-20-0x0000000000E30000-0x0000000000E47000-memory.dmpFilesize
92KB
-
memory/3732-6-0x0000000001FC0000-0x0000000001FD7000-memory.dmpFilesize
92KB
-
memory/3732-11-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB