Analysis Overview
SHA256
0d5488caa8d8b88658eef8372132d7515ee48173c0e5a14fa0aa219b0bffda13
Threat Level: Known bad
The file aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Executes dropped EXE
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 14:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 14:09
Reported
2024-06-14 14:11
Platform
win7-20240611-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Emotet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1768 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe |
| PID 1768 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe |
| PID 1768 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe |
| PID 1768 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe"
C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe
"C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 107.5.122.110:80 | tcp | |
| US | 107.5.122.110:80 | tcp | |
| US | 199.101.86.6:443 | tcp | |
| US | 199.101.86.6:443 | tcp | |
| US | 45.55.219.163:443 | tcp | |
| US | 45.55.219.163:443 | tcp |
Files
memory/1768-0-0x0000000000370000-0x000000000037C000-memory.dmp
memory/1768-4-0x0000000000350000-0x0000000000359000-memory.dmp
C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe
| MD5 | aa196f01930b5dbfbe2e0e6bcc995d7f |
| SHA1 | e7821509a71bd4cb7c415e5e9b99ea83ee79874d |
| SHA256 | 0d5488caa8d8b88658eef8372132d7515ee48173c0e5a14fa0aa219b0bffda13 |
| SHA512 | 0a270762710929ec6be3be5104213012ed7096e23244729fcbb1b71d0c86b7f490ff91b639f06ee3aabbb387c9c3fe7c00593df011e03b83cff7de6b9cff0ac8 |
memory/1768-6-0x0000000000400000-0x000000000048C000-memory.dmp
memory/3060-11-0x0000000000260000-0x000000000026C000-memory.dmp
memory/3060-7-0x0000000000260000-0x000000000026C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 14:09
Reported
2024-06-14 14:11
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
144s
Command Line
Signatures
Emotet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5568 wrote to memory of 4928 | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe |
| PID 5568 wrote to memory of 4928 | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe |
| PID 5568 wrote to memory of 4928 | N/A | C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe"
C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe
"C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 107.5.122.110:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 199.101.86.6:443 | tcp | |
| US | 45.55.219.163:443 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| GB | 62.30.7.67:443 | tcp | |
| US | 8.8.8.8:53 | 203.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 185.94.252.104:443 | tcp | |
| SG | 203.117.253.142:80 | tcp |
Files
memory/5568-0-0x00000000007D0000-0x00000000007DC000-memory.dmp
memory/5568-4-0x00000000007C0000-0x00000000007C9000-memory.dmp
C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe
| MD5 | aa196f01930b5dbfbe2e0e6bcc995d7f |
| SHA1 | e7821509a71bd4cb7c415e5e9b99ea83ee79874d |
| SHA256 | 0d5488caa8d8b88658eef8372132d7515ee48173c0e5a14fa0aa219b0bffda13 |
| SHA512 | 0a270762710929ec6be3be5104213012ed7096e23244729fcbb1b71d0c86b7f490ff91b639f06ee3aabbb387c9c3fe7c00593df011e03b83cff7de6b9cff0ac8 |
memory/5568-6-0x0000000000400000-0x000000000048C000-memory.dmp
memory/4928-7-0x0000000002300000-0x000000000230C000-memory.dmp
memory/4928-11-0x0000000002300000-0x000000000230C000-memory.dmp