Analysis Overview
SHA256
c1a0cc11059abb00e7f6b71ca529c69004b3824c48dba1b62edcac18355b6363
Threat Level: Known bad
The file aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 17:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 17:06
Reported
2024-06-14 17:08
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wwawscapi.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 452 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 452 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 452 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 452 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe | C:\Windows\SysWOW64\wwawscapi.exe |
| PID 452 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe | C:\Windows\SysWOW64\wwawscapi.exe |
| PID 452 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe | C:\Windows\SysWOW64\wwawscapi.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C move /Y "C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe" "C:\Windows\SysWOW64\wwawscapi.exe"
C:\Windows\SysWOW64\wwawscapi.exe
"C:\Windows\SysWOW64\wwawscapi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 46.4.251.184:8080 | tcp | |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 234.83.221.88.in-addr.arpa | udp |
| IN | 220.227.247.45:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| BR | 191.242.178.46:443 | tcp | |
| US | 50.31.146.101:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 174.140.167.85:443 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| US | 216.105.170.139:4143 | tcp | |
| FR | 194.88.246.242:80 | tcp | |
| NL | 37.139.8.197:8080 | tcp | |
| CZ | 185.25.184.214:8080 | tcp |
Files
memory/452-0-0x00000000005A0000-0x00000000005AF000-memory.dmp
memory/452-4-0x00000000005A0000-0x00000000005AF000-memory.dmp
memory/452-6-0x0000000000690000-0x00000000006B0000-memory.dmp
memory/452-5-0x0000000000590000-0x000000000059F000-memory.dmp
memory/452-8-0x0000000000590000-0x000000000059F000-memory.dmp
memory/452-7-0x0000000000F60000-0x0000000000F84000-memory.dmp
memory/4280-9-0x0000000000FF0000-0x0000000000FFF000-memory.dmp
memory/4280-13-0x0000000000FF0000-0x0000000000FFF000-memory.dmp
memory/4280-15-0x00000000014E0000-0x0000000001500000-memory.dmp
memory/4280-14-0x0000000000F50000-0x0000000000F5F000-memory.dmp
memory/4280-16-0x0000000000F50000-0x0000000000F5F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 17:06
Reported
2024-06-14 17:08
Platform
win7-20240611-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Emotet
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\alstcp.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C move /Y "C:\Users\Admin\AppData\Local\Temp\aad1b6ee34767adc0e3643be738c4c2a_JaffaCakes118.exe" "C:\Windows\SysWOW64\alstcp.exe"
C:\Windows\SysWOW64\alstcp.exe
"C:\Windows\SysWOW64\alstcp.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 46.4.251.184:8080 | tcp | |
| IN | 220.227.247.45:443 | tcp | |
| BR | 191.242.178.46:443 | tcp | |
| US | 50.31.146.101:8080 | tcp | |
| US | 174.140.167.85:443 | tcp | |
| US | 216.105.170.139:4143 | tcp | |
| FR | 194.88.246.242:80 | tcp | |
| NL | 37.139.8.197:8080 | tcp | |
| CZ | 185.25.184.214:8080 | tcp | |
| US | 205.178.137.221:8080 | tcp | |
| US | 71.244.60.231:8080 | tcp |
Files
memory/1996-4-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/1996-0-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/1996-6-0x00000000001D0000-0x00000000001F0000-memory.dmp
memory/1996-5-0x00000000000E0000-0x00000000000EF000-memory.dmp
memory/1996-8-0x00000000000E0000-0x00000000000EF000-memory.dmp
memory/2276-13-0x0000000000140000-0x000000000014F000-memory.dmp
memory/2276-9-0x0000000000140000-0x000000000014F000-memory.dmp
memory/1996-7-0x0000000000230000-0x0000000000254000-memory.dmp
memory/2276-15-0x0000000000200000-0x0000000000220000-memory.dmp
memory/2276-14-0x0000000000070000-0x000000000007F000-memory.dmp
memory/2276-16-0x0000000000070000-0x000000000007F000-memory.dmp