Analysis Overview
SHA256
32063cf418f54fcfc9e3ca5f36d37dc19e767f82623a61ec060b042f27ed0178
Threat Level: Known bad
The file b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Emotet payload
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 21:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 21:31
Reported
2024-06-15 21:33
Platform
win7-20240611-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mfcsubs\normaliz.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | C:\Windows\SysWOW64\mfcsubs\normaliz.exe |
| PID 2032 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | C:\Windows\SysWOW64\mfcsubs\normaliz.exe |
| PID 2032 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | C:\Windows\SysWOW64\mfcsubs\normaliz.exe |
| PID 2032 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | C:\Windows\SysWOW64\mfcsubs\normaliz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe"
C:\Windows\SysWOW64\mfcsubs\normaliz.exe
"C:\Windows\SysWOW64\mfcsubs\normaliz.exe"
Network
| Country | Destination | Domain | Proto |
| SA | 94.49.254.194:80 | tcp | |
| SA | 94.49.254.194:80 | tcp | |
| CH | 212.51.142.238:8080 | tcp | |
| CH | 212.51.142.238:8080 | tcp | |
| IT | 91.231.166.124:8080 | tcp | |
| IT | 91.231.166.124:8080 | tcp | |
| US | 162.241.92.219:8080 | tcp | |
| US | 162.241.92.219:8080 | tcp | |
| LT | 79.98.24.39:8080 | tcp | |
| LT | 79.98.24.39:8080 | tcp | |
| IT | 109.117.53.230:443 | tcp | |
| IT | 109.117.53.230:443 | tcp | |
| TR | 78.189.165.52:8080 | tcp | |
| TR | 78.189.165.52:8080 | tcp |
Files
memory/2032-0-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/2032-5-0x0000000000400000-0x00000000004C5000-memory.dmp
C:\Windows\SysWOW64\mfcsubs\normaliz.exe
| MD5 | b02ff5582a93db07cc9891ebba43c42c |
| SHA1 | 5de11ef4feebdff42688396c4f09611d2b28ae1e |
| SHA256 | 32063cf418f54fcfc9e3ca5f36d37dc19e767f82623a61ec060b042f27ed0178 |
| SHA512 | 10f1436ad5d58c1a2e3247f9ffec6b77b2d7723fa19309442014cd6599a37408bbc23c0f9349eabdcf497dbe03b10ad6f5efb87dd40d518d3694c39f6b4126a8 |
memory/2464-6-0x00000000005C0000-0x00000000005CC000-memory.dmp
memory/2464-10-0x00000000005C0000-0x00000000005CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 21:31
Reported
2024-06-15 21:34
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| SA | 94.49.254.194:80 | tcp | |
| CH | 212.51.142.238:8080 | tcp | |
| IT | 91.231.166.124:8080 | tcp | |
| US | 52.111.227.14:443 | tcp | |
| US | 162.241.92.219:8080 | tcp | |
| LT | 79.98.24.39:8080 | tcp | |
| IT | 109.117.53.230:443 | tcp |
Files
memory/1948-0-0x0000000002CD0000-0x0000000002CDC000-memory.dmp
memory/1948-4-0x0000000002CC0000-0x0000000002CC9000-memory.dmp
memory/1948-5-0x0000000002CD0000-0x0000000002CDC000-memory.dmp
memory/1948-6-0x0000000002BC0000-0x0000000002CB1000-memory.dmp