Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe
-
Size
351KB
-
MD5
8ae862c67f85dddfe480032eb103d5c7
-
SHA1
10fe99c74a8c2bbf316b5e7e993b1d50fcacad84
-
SHA256
1843ee4c7805b2ff1ace171bf8daf3cce9c27b483711ae8ad6665bfd27c92970
-
SHA512
e7b984f46159377926a9d6f0664a9b84c0416a789cb2eacc5d4f16a0ac8d944f71a4dda70c72524bdbff4fcd25b636228d1264303d7638f52c0c9bfe98a7f697
-
SSDEEP
6144:ELdOErr1UnnZt/8fDro5R4MZYB4bi8CLqwGhw2/K6786TEnCAIpi9MxipEl7BuH9:aOErcBWDroj4MZYBMMbGy
Malware Config
Extracted
emotet
Epoch1
190.217.1.149:80
154.120.227.206:8080
45.56.79.249:443
163.172.40.218:7080
79.143.182.254:8080
190.230.60.129:8080
46.28.111.142:7080
190.182.161.7:8080
186.68.141.218:80
201.163.74.202:443
62.75.143.100:7080
200.57.102.71:8443
41.75.135.93:7080
119.159.150.176:443
46.41.151.103:8080
178.79.163.131:8080
190.10.194.42:8080
104.131.58.132:8080
200.113.106.18:80
186.15.57.7:8080
220.241.38.226:50000
77.245.101.134:8080
82.196.15.205:8080
190.96.118.15:443
207.154.204.40:8080
190.104.253.234:990
181.36.42.205:443
190.120.104.21:443
201.184.41.228:990
181.44.166.242:80
183.82.97.25:80
212.71.237.140:8080
190.146.131.105:8080
201.213.32.59:80
200.30.227.135:80
178.249.187.151:8080
94.183.71.206:7080
217.199.160.224:8080
91.205.215.57:7080
190.230.60.129:80
139.5.237.27:443
91.204.163.19:8090
51.15.8.192:8080
94.177.183.28:8080
86.42.166.147:80
144.139.158.155:80
181.59.253.20:21
77.55.211.77:8080
142.93.114.137:8080
190.97.30.167:990
62.75.160.178:8080
80.85.87.122:8080
109.169.86.13:8080
190.38.14.52:80
186.1.41.111:443
138.68.106.4:7080
186.0.95.172:80
45.79.95.107:443
119.59.124.163:8080
68.183.170.114:8080
181.16.17.210:443
14.160.93.230:80
159.203.204.126:8080
201.190.133.235:8080
86.6.188.121:80
46.101.212.195:8080
87.106.77.40:7080
149.62.173.247:8080
89.188.124.145:443
186.23.132.93:990
181.135.153.203:443
69.163.33.84:8080
200.58.83.179:80
185.86.148.222:8080
185.187.198.10:8080
79.127.57.43:80
91.83.93.124:7080
46.29.183.211:8080
50.28.51.143:8080
5.196.35.138:7080
81.169.140.14:443
203.25.159.3:8080
190.85.152.186:8080
68.183.190.199:8080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
ctntsongs.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ctntsongs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ctntsongs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ctntsongs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ctntsongs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
ctntsongs.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ctntsongs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ctntsongs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ctntsongs.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
ctntsongs.exepid process 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe 1632 ctntsongs.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exepid process 3376 8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exectntsongs.exedescription pid process target process PID 3032 wrote to memory of 3376 3032 8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe 8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe PID 3032 wrote to memory of 3376 3032 8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe 8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe PID 3032 wrote to memory of 3376 3032 8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe 8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe PID 876 wrote to memory of 1632 876 ctntsongs.exe ctntsongs.exe PID 876 wrote to memory of 1632 876 ctntsongs.exe ctntsongs.exe PID 876 wrote to memory of 1632 876 ctntsongs.exe ctntsongs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8ae862c67f85dddfe480032eb103d5c7_JaffaCakes118.exe--dbdfbb92⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\ctntsongs.exe"C:\Windows\SysWOW64\ctntsongs.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctntsongs.exe--24ee631d2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\151006038beb3d5e9a4e1db2e6315db6_310807ab-751f-4d81-ae09-b202eaf21e19Filesize
50B
MD52219ed8c4461bbee47dc0ac045013700
SHA1f537ff444a352845422abf004e0087645f903a44
SHA256a2291a4fcb3343cdfad5d198bdc7dd62af09605c264681fa26ed79cecb53c01e
SHA51274026b6cb0f530e6acc0681ac68b990ca68f7baca7244b2954799b3556ee98c88f8d63092863cd391d1851b6e10795f54252da34a5d25da3911779891f8cb822
-
memory/876-23-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/876-15-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/876-17-0x0000000001400000-0x0000000001417000-memory.dmpFilesize
92KB
-
memory/1632-32-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1632-26-0x00000000013B0000-0x00000000013C7000-memory.dmpFilesize
92KB
-
memory/3032-1-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3032-2-0x0000000000650000-0x0000000000667000-memory.dmpFilesize
92KB
-
memory/3032-0-0x0000000000401000-0x0000000000417000-memory.dmpFilesize
88KB
-
memory/3032-12-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3376-8-0x00000000001A0000-0x00000000001B7000-memory.dmpFilesize
92KB
-
memory/3376-31-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3376-14-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB