Analysis

  • max time kernel
    131s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 16:43

General

  • Target

    af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe

  • Size

    264KB

  • MD5

    af64b00ee58a65e1d0b0fe0d9295b018

  • SHA1

    255faa0e50e104ae5f353e5516d9cdf9a8d61c79

  • SHA256

    6d28339809a4e1e8cf45ab998568f777c2ad101c75f94c72461e8592ef581b98

  • SHA512

    9b0e0405ef2e75079684547e39a510abae679b1d97015ab4a7d5e44a0e6bebe226ec4d71e25a2bb0a7e4c18c8c55cddac8615379b8b8801f5d970465529e0cc4

  • SSDEEP

    1536:DuaWmy41frZbE5KLCX6kxCxRjFnYDdyrrQkATezKwXHfterq8:DuaWmyWfrZYX6kSEgrrQkA2KWFeH

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:3464
  • C:\Windows\SysWOW64\quotashared.exe
    "C:\Windows\SysWOW64\quotashared.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\quotashared.exe
      "C:\Windows\SysWOW64\quotashared.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1664-32-0x00000000004E0000-0x00000000004ED000-memory.dmp
    Filesize

    52KB

  • memory/1664-27-0x00000000004E0000-0x00000000004ED000-memory.dmp
    Filesize

    52KB

  • memory/1664-28-0x0000000000600000-0x0000000000610000-memory.dmp
    Filesize

    64KB

  • memory/1824-15-0x00000000006B0000-0x00000000006BD000-memory.dmp
    Filesize

    52KB

  • memory/1824-29-0x0000000000530000-0x000000000053D000-memory.dmp
    Filesize

    52KB

  • memory/1824-20-0x0000000000530000-0x000000000053D000-memory.dmp
    Filesize

    52KB

  • memory/1824-21-0x00000000006C0000-0x00000000006D0000-memory.dmp
    Filesize

    64KB

  • memory/1824-19-0x00000000006B0000-0x00000000006BD000-memory.dmp
    Filesize

    52KB

  • memory/3464-7-0x00000000005F0000-0x00000000005FD000-memory.dmp
    Filesize

    52KB

  • memory/3464-12-0x00000000005E0000-0x00000000005ED000-memory.dmp
    Filesize

    52KB

  • memory/3464-13-0x0000000000600000-0x0000000000610000-memory.dmp
    Filesize

    64KB

  • memory/3464-11-0x00000000005F0000-0x00000000005FD000-memory.dmp
    Filesize

    52KB

  • memory/3464-31-0x00000000005E0000-0x00000000005ED000-memory.dmp
    Filesize

    52KB

  • memory/3464-30-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

  • memory/3912-14-0x0000000000510000-0x000000000051D000-memory.dmp
    Filesize

    52KB

  • memory/3912-4-0x0000000000520000-0x000000000052D000-memory.dmp
    Filesize

    52KB

  • memory/3912-5-0x0000000000510000-0x000000000051D000-memory.dmp
    Filesize

    52KB

  • memory/3912-6-0x0000000000530000-0x0000000000540000-memory.dmp
    Filesize

    64KB

  • memory/3912-0-0x0000000000520000-0x000000000052D000-memory.dmp
    Filesize

    52KB