Analysis Overview
SHA256
b23028444d54d452f96f4df6cbb647c58a4d352fdd4558dd0d3debd215902327
Threat Level: Known bad
The file aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 17:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 17:30
Reported
2024-06-14 17:33
Platform
win7-20240611-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadNetworkName = "Network 2" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\0e-e5-18-01-80-9d | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d\WpadDecisionTime = d04318a980beda01 | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B} | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadDecisionTime = d04318a980beda01 | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadDecision = "0" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d\WpadDecisionReason = "1" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d\WpadDecision = "0" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rowsetbang.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe
--7c8c5eef
C:\Windows\SysWOW64\rowsetbang.exe
"C:\Windows\SysWOW64\rowsetbang.exe"
C:\Windows\SysWOW64\rowsetbang.exe
--ab70b012
Network
| Country | Destination | Domain | Proto |
| MX | 189.159.113.125:8080 | tcp | |
| MX | 189.159.113.125:8080 | tcp | |
| AR | 200.51.94.251:80 | 200.51.94.251 | tcp |
| US | 45.33.54.74:443 | 45.33.54.74 | tcp |
| US | 209.141.41.136:8080 | tcp | |
| US | 209.141.41.136:8080 | tcp | |
| DE | 185.94.252.13:443 | tcp |
Files
memory/2016-0-0x0000000000390000-0x00000000003A4000-memory.dmp
memory/2016-5-0x0000000000380000-0x000000000038F000-memory.dmp
memory/2932-6-0x00000000003D0000-0x00000000003E4000-memory.dmp
memory/2388-11-0x00000000008D0000-0x00000000008E4000-memory.dmp
memory/2932-16-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2292-17-0x0000000000AD0000-0x0000000000AE4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 17:30
Reported
2024-06-14 17:33
Platform
win10v2004-20240611-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\catjoin.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\catjoin.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\catjoin.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\catjoin.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\catjoin.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\catjoin.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\catjoin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\catjoin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4412 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe |
| PID 4412 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe |
| PID 4412 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe |
| PID 3044 wrote to memory of 3388 | N/A | C:\Windows\SysWOW64\catjoin.exe | C:\Windows\SysWOW64\catjoin.exe |
| PID 3044 wrote to memory of 3388 | N/A | C:\Windows\SysWOW64\catjoin.exe | C:\Windows\SysWOW64\catjoin.exe |
| PID 3044 wrote to memory of 3388 | N/A | C:\Windows\SysWOW64\catjoin.exe | C:\Windows\SysWOW64\catjoin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe
--7c8c5eef
C:\Windows\SysWOW64\catjoin.exe
"C:\Windows\SysWOW64\catjoin.exe"
C:\Windows\SysWOW64\catjoin.exe
--4c15b236
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.243:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| BE | 88.221.83.243:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 243.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| MX | 189.159.113.125:8080 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| AR | 200.51.94.251:80 | 200.51.94.251 | tcp |
| US | 8.8.8.8:53 | 251.94.51.200.in-addr.arpa | udp |
| US | 45.33.54.74:443 | 45.33.54.74 | tcp |
| US | 8.8.8.8:53 | 74.54.33.45.in-addr.arpa | udp |
| US | 209.141.41.136:8080 | tcp | |
| DE | 185.94.252.13:443 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| PA | 186.75.241.230:80 | tcp | |
| AR | 201.251.43.69:8080 | tcp |
Files
memory/4412-0-0x00000000024D0000-0x00000000024E4000-memory.dmp
memory/4412-5-0x00000000024C0000-0x00000000024CF000-memory.dmp
memory/2500-6-0x0000000002280000-0x0000000002294000-memory.dmp
memory/3044-12-0x00000000015B0000-0x00000000015C4000-memory.dmp
memory/2500-17-0x0000000000400000-0x00000000004A6000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\503dd1842ca2542783c874edc85e93f5_50b25195-d6c8-43bb-b2ca-a8bd616967ef
| MD5 | c59d3dd5371f26cc653932d5e9dbbdfc |
| SHA1 | 2af1e109df080e1f1965702c5bc04be89fc5a108 |
| SHA256 | 020de7906bd5c29a9a4345890667b582ae71ac0a0d36510c80a1931f7ceec11f |
| SHA512 | b3781e13a5292a03d1cd4151554c2200cfb90f46696e498bb11ec3842fa9ef8d9d348e780fb66152b69e8c149fa803ce440a229be0c57313d623d04529041f17 |
memory/3388-19-0x0000000000E30000-0x0000000000E44000-memory.dmp