Analysis Overview
SHA256
a1dca72a7dd2d57413da17ac27500ac3a2b0f18b336152859301fa07134e04c8
Threat Level: Known bad
The file 9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-10 20:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 20:40
Reported
2024-06-10 20:42
Platform
win7-20240215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16C1A56F-9781-4B2A-8B95-1F4C2B54C1EE}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16C1A56F-9781-4B2A-8B95-1F4C2B54C1EE}\WpadDecisionTime = 60dad07276bbda01 | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16C1A56F-9781-4B2A-8B95-1F4C2B54C1EE}\WpadDecision = "0" | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-21-f1-08-ae-ab\WpadDecisionReason = "1" | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-21-f1-08-ae-ab\WpadDecisionTime = 60dad07276bbda01 | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-21-f1-08-ae-ab\WpadDecision = "0" | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-21-f1-08-ae-ab | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16C1A56F-9781-4B2A-8B95-1F4C2B54C1EE}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16C1A56F-9781-4B2A-8B95-1F4C2B54C1EE}\a2-21-f1-08-ae-ab | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-21-f1-08-ae-ab\WpadDetectedUrl | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16C1A56F-9781-4B2A-8B95-1F4C2B54C1EE} | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\leelawhorz.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe"
C:\Windows\SysWOW64\leelawhorz.exe
"C:\Windows\SysWOW64\leelawhorz.exe"
C:\Windows\SysWOW64\leelawhorz.exe
"C:\Windows\SysWOW64\leelawhorz.exe"
Network
| Country | Destination | Domain | Proto |
| TR | 81.215.192.201:80 | tcp | |
| TR | 81.215.192.201:80 | tcp | |
| IN | 113.193.217.34:80 | tcp | |
| IN | 113.193.217.34:80 | tcp | |
| US | 174.67.38.138:8090 | tcp | |
| US | 174.67.38.138:8090 | tcp | |
| US | 12.139.45.113:80 | tcp |
Files
memory/1724-50-0x0000000000270000-0x0000000000287000-memory.dmp
memory/1724-56-0x0000000000140000-0x0000000000150000-memory.dmp
memory/1724-55-0x0000000000290000-0x00000000002A7000-memory.dmp
memory/1724-51-0x0000000000290000-0x00000000002A7000-memory.dmp
memory/2408-111-0x00000000001A0000-0x00000000001B7000-memory.dmp
memory/1724-112-0x0000000000270000-0x0000000000287000-memory.dmp
memory/2408-114-0x0000000000100000-0x0000000000110000-memory.dmp
memory/2408-113-0x0000000000170000-0x0000000000187000-memory.dmp
memory/2408-107-0x00000000001A0000-0x00000000001B7000-memory.dmp
memory/2704-165-0x0000000000250000-0x0000000000267000-memory.dmp
memory/2704-169-0x0000000000250000-0x0000000000267000-memory.dmp
memory/2704-170-0x0000000000230000-0x0000000000247000-memory.dmp
memory/2704-171-0x0000000000270000-0x0000000000280000-memory.dmp
memory/1336-228-0x00000000000D0000-0x00000000000E0000-memory.dmp
memory/1336-227-0x00000000001F0000-0x0000000000207000-memory.dmp
memory/1336-226-0x0000000000210000-0x0000000000227000-memory.dmp
memory/1336-222-0x0000000000210000-0x0000000000227000-memory.dmp
memory/2408-230-0x0000000000170000-0x0000000000187000-memory.dmp
memory/2408-229-0x0000000000E00000-0x0000000000E3D000-memory.dmp
memory/1336-231-0x00000000001F0000-0x0000000000207000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 20:40
Reported
2024-06-10 20:42
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Emotet
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe |
| PID 1840 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe |
| PID 1840 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe |
| PID 2084 wrote to memory of 4052 | N/A | C:\Windows\SysWOW64\cabhexa.exe | C:\Windows\SysWOW64\cabhexa.exe |
| PID 2084 wrote to memory of 4052 | N/A | C:\Windows\SysWOW64\cabhexa.exe | C:\Windows\SysWOW64\cabhexa.exe |
| PID 2084 wrote to memory of 4052 | N/A | C:\Windows\SysWOW64\cabhexa.exe | C:\Windows\SysWOW64\cabhexa.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9bde69db3a9f69349eaf2f1f4c859f7d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cabhexa.exe
"C:\Windows\SysWOW64\cabhexa.exe"
C:\Windows\SysWOW64\cabhexa.exe
"C:\Windows\SysWOW64\cabhexa.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| TR | 81.215.192.201:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| IN | 113.193.217.34:80 | tcp | |
| US | 174.67.38.138:8090 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 12.139.45.113:80 | tcp | |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 216.215.112.198:80 | tcp | |
| US | 65.79.210.121:443 | tcp | |
| CA | 204.29.213.242:80 | tcp |
Files
memory/1840-51-0x00000000027D0000-0x00000000027E7000-memory.dmp
memory/1840-52-0x00000000027F0000-0x0000000002807000-memory.dmp
memory/1840-56-0x00000000027F0000-0x0000000002807000-memory.dmp
memory/1840-71-0x0000000000750000-0x0000000000760000-memory.dmp
memory/1564-109-0x00000000027C0000-0x00000000027D7000-memory.dmp
memory/1564-115-0x0000000000FE0000-0x0000000000FF0000-memory.dmp
memory/1840-116-0x00000000027D0000-0x00000000027E7000-memory.dmp
memory/1564-114-0x00000000027A0000-0x00000000027B7000-memory.dmp
memory/1564-113-0x00000000027C0000-0x00000000027D7000-memory.dmp
memory/2084-172-0x0000000001650000-0x0000000001667000-memory.dmp
memory/2084-168-0x0000000001650000-0x0000000001667000-memory.dmp
memory/2084-174-0x0000000001670000-0x0000000001680000-memory.dmp
memory/2084-173-0x0000000001630000-0x0000000001647000-memory.dmp
memory/4052-226-0x0000000001390000-0x00000000013A7000-memory.dmp
memory/2084-233-0x0000000001630000-0x0000000001647000-memory.dmp
memory/4052-232-0x00000000013B0000-0x00000000013C0000-memory.dmp
memory/4052-231-0x0000000001370000-0x0000000001387000-memory.dmp
memory/4052-230-0x0000000001390000-0x00000000013A7000-memory.dmp
memory/1564-234-0x0000000000960000-0x000000000099D000-memory.dmp
memory/1564-235-0x00000000027A0000-0x00000000027B7000-memory.dmp
memory/4052-236-0x0000000001370000-0x0000000001387000-memory.dmp