Analysis Overview
SHA256
3f958042bb23e821df3e9a3a95c6fc27be6655d1bd89e2c4bb859aecd92c6ae5
Threat Level: Known bad
The file b267a08d8e8549d97a43a812795c6574_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Emotet payload
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 07:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 07:46
Reported
2024-06-17 04:53
Platform
win7-20240611-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe | C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe | C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe |
| PID 2872 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe | C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe |
| PID 2872 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe | C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe |
| PID 2872 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe | C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe"
C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe
"C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 24.43.32.186:80 | tcp | |
| US | 24.43.32.186:80 | tcp | |
| US | 38.111.46.46:8080 | tcp | |
| US | 38.111.46.46:8080 | tcp | |
| US | 134.209.36.254:8080 | tcp | |
| US | 134.209.36.254:8080 | tcp | |
| US | 162.241.242.173:8080 | tcp | |
| US | 162.241.242.173:8080 | tcp | |
| CA | 74.120.55.163:80 | tcp | |
| CA | 74.120.55.163:80 | tcp | |
| HK | 61.92.17.12:80 | tcp | |
| HK | 61.92.17.12:80 | tcp | |
| SG | 219.74.18.66:443 | tcp | |
| SG | 219.74.18.66:443 | tcp | |
| ZA | 156.155.166.221:80 | tcp | |
| ZA | 156.155.166.221:80 | tcp | |
| US | 104.131.44.150:8080 | tcp | |
| US | 104.131.44.150:8080 | tcp | |
| NL | 37.139.21.175:8080 | tcp | |
| NL | 37.139.21.175:8080 | tcp | |
| GB | 94.1.108.190:443 | tcp | |
| GB | 94.1.108.190:443 | tcp | |
| ZA | 169.239.182.217:8080 | tcp | |
| ZA | 169.239.182.217:8080 | tcp | |
| AU | 220.245.198.194:80 | tcp | |
| AU | 220.245.198.194:80 | tcp | |
| AU | 139.99.158.11:443 | tcp | |
| AU | 139.99.158.11:443 | tcp | |
| PL | 91.211.88.52:7080 | tcp | |
| PL | 91.211.88.52:7080 | tcp | |
| FR | 62.75.141.82:80 | tcp | |
| FR | 62.75.141.82:80 | tcp | |
| US | 174.45.13.118:80 | tcp | |
| US | 174.45.13.118:80 | tcp | |
| US | 137.119.36.33:80 | tcp | |
| US | 137.119.36.33:80 | tcp | |
| IT | 188.219.31.12:80 | tcp | |
| IT | 188.219.31.12:80 | tcp | |
| TH | 103.86.49.11:8080 | tcp | |
| TH | 103.86.49.11:8080 | tcp | |
| US | 104.131.11.150:443 | tcp | |
| US | 104.131.11.150:443 | tcp | |
| NP | 124.41.215.226:80 | tcp | |
| NP | 124.41.215.226:80 | tcp | |
| TR | 78.187.156.31:80 | tcp | |
| TR | 78.187.156.31:80 | tcp | |
| US | 104.32.141.43:80 | tcp | |
| US | 104.32.141.43:80 | tcp | |
| US | 47.144.21.12:443 | tcp | |
| US | 47.144.21.12:443 | tcp | |
| IT | 93.147.212.206:80 | tcp | |
| IT | 93.147.212.206:80 | tcp | |
| AR | 200.123.150.89:443 | tcp | |
| AR | 200.123.150.89:443 | tcp | |
| SG | 121.7.127.163:80 | tcp | |
| SG | 121.7.127.163:80 | tcp | |
| AR | 200.114.213.233:8080 | tcp | |
| AR | 200.114.213.233:8080 | tcp | |
| AE | 94.200.114.161:80 | tcp | |
| AE | 94.200.114.161:80 | tcp | |
| US | 24.179.13.119:80 | tcp | |
| US | 24.179.13.119:80 | tcp | |
| ES | 84.39.182.7:80 | tcp | |
| ES | 84.39.182.7:80 | tcp | |
| US | 97.82.79.83:80 | tcp | |
| US | 97.82.79.83:80 | tcp | |
| DE | 87.106.136.232:8080 | tcp | |
| DE | 87.106.136.232:8080 | tcp | |
| FR | 5.196.74.210:8080 | tcp | |
| FR | 5.196.74.210:8080 | tcp | |
| US | 24.43.99.75:80 | tcp | |
| US | 24.43.99.75:80 | tcp | |
| CH | 213.196.135.145:80 | tcp | |
| CH | 213.196.135.145:80 | tcp | |
| FR | 94.23.237.171:443 | tcp | |
| FR | 94.23.237.171:443 | tcp | |
| US | 74.134.41.124:80 | tcp | |
| US | 74.134.41.124:80 | tcp | |
| US | 96.249.236.156:443 | tcp | |
| US | 96.249.236.156:443 | tcp | |
| RU | 95.213.236.64:8080 | tcp | |
| RU | 95.213.236.64:8080 | tcp | |
| SG | 137.59.187.107:8080 | tcp | |
| SG | 137.59.187.107:8080 | tcp | |
| US | 75.139.38.211:80 | tcp | |
| US | 75.139.38.211:80 | tcp |
Files
memory/2872-0-0x0000000000240000-0x0000000000252000-memory.dmp
memory/2872-4-0x0000000000260000-0x0000000000270000-memory.dmp
memory/2872-7-0x0000000000230000-0x000000000023F000-memory.dmp
memory/2872-9-0x0000000000400000-0x0000000000451000-memory.dmp
C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe
| MD5 | b267a08d8e8549d97a43a812795c6574 |
| SHA1 | 2c08e0add27dfba945195f74d28918fd7b3d3818 |
| SHA256 | 3f958042bb23e821df3e9a3a95c6fc27be6655d1bd89e2c4bb859aecd92c6ae5 |
| SHA512 | 3fe6fb4d1a85e6c6518c07c2ff29ee7817ec7e96f8d269f6262485b3cf7a794aa4661e40231c65eb31b2ea18f8f6950260e81b22e3250bb5a955432b7607b9a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 07:46
Reported
2024-06-17 04:54
Platform
win10v2004-20240226-en
Max time kernel
1794s
Max time network
1802s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 24.43.32.186:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 38.111.46.46:8080 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 134.209.36.254:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 162.241.242.173:8080 | tcp | |
| CA | 74.120.55.163:80 | tcp | |
| HK | 61.92.17.12:80 | tcp | |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| SG | 219.74.18.66:443 | tcp | |
| ZA | 156.155.166.221:80 | tcp | |
| US | 104.131.44.150:8080 | tcp | |
| NL | 37.139.21.175:8080 | tcp | |
| GB | 94.1.108.190:443 | tcp | |
| ZA | 169.239.182.217:8080 | tcp | |
| AU | 220.245.198.194:80 | tcp | |
| AU | 139.99.158.11:443 | tcp | |
| PL | 91.211.88.52:7080 | tcp | |
| FR | 62.75.141.82:80 | tcp | |
| US | 174.45.13.118:80 | tcp | |
| US | 137.119.36.33:80 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.55.97.181:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.233.34.23.in-addr.arpa | udp |
| IT | 188.219.31.12:80 | tcp | |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| TH | 103.86.49.11:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 142.250.185.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.15.31.184.in-addr.arpa | udp |
| US | 104.131.11.150:443 | tcp | |
| NP | 124.41.215.226:80 | tcp | |
| TR | 78.187.156.31:80 | tcp | |
| US | 104.32.141.43:80 | tcp | |
| US | 47.144.21.12:443 | tcp | |
| IT | 93.147.212.206:80 | tcp | |
| AR | 200.123.150.89:443 | tcp | |
| SG | 121.7.127.163:80 | tcp | |
| AR | 200.114.213.233:8080 | tcp | |
| AE | 94.200.114.161:80 | tcp | |
| US | 24.179.13.119:80 | tcp | |
| ES | 84.39.182.7:80 | tcp | |
| US | 97.82.79.83:80 | tcp | |
| DE | 87.106.136.232:8080 | tcp | |
| FR | 5.196.74.210:8080 | tcp | |
| US | 24.43.99.75:80 | tcp | |
| CH | 213.196.135.145:80 | tcp | |
| FR | 94.23.237.171:443 | tcp | |
| US | 74.134.41.124:80 | tcp | |
| US | 96.249.236.156:443 | tcp | |
| RU | 95.213.236.64:8080 | tcp | |
| SG | 137.59.187.107:8080 | tcp | |
| US | 75.139.38.211:80 | tcp | |
| FR | 82.225.49.121:80 | tcp | |
| MV | 123.176.25.234:80 | tcp | |
| BG | 194.187.133.160:443 | tcp | |
| GB | 62.30.7.67:443 | tcp | |
| SE | 109.74.5.95:8080 | tcp | |
| UA | 176.111.60.55:8080 | tcp | |
| CA | 24.137.76.62:80 | tcp | |
| FR | 37.187.72.193:8080 | tcp | |
| AU | 110.145.77.103:80 | tcp | |
| JP | 153.137.36.142:80 | tcp | |
| KR | 1.221.254.82:80 | tcp | |
| ES | 195.7.12.8:80 | tcp | |
| JP | 110.5.16.198:80 | tcp | |
| DE | 185.94.252.104:443 | tcp | |
| US | 104.236.246.93:8080 | tcp | |
| RU | 78.24.219.147:8080 | tcp | |
| ES | 85.152.162.105:80 | tcp | |
| TR | 85.105.205.77:8080 | tcp | |
| IN | 139.59.60.244:8080 | tcp | |
| FR | 79.137.83.50:443 | tcp | |
| US | 50.91.114.38:80 | tcp | |
| US | 172.91.208.86:80 | tcp | |
| US | 74.219.172.26:80 | tcp | |
| DE | 83.169.36.251:8080 | tcp | |
| JP | 153.232.188.106:80 | tcp | |
| US | 209.141.54.221:8080 | tcp | |
| US | 168.235.67.138:7080 | tcp | |
| AU | 139.130.242.43:80 | tcp | |
| KR | 121.124.124.40:7080 | tcp | |
| RS | 89.216.122.92:80 | tcp | |
| ID | 203.153.216.189:7080 | tcp | |
| MX | 187.161.206.24:80 | tcp | |
| IN | 157.245.99.39:8080 | tcp | |
| GR | 195.251.213.56:80 | 195.251.213.56 | tcp |
| US | 8.8.8.8:53 | 56.213.251.195.in-addr.arpa | udp |
| US | 71.72.196.159:80 | tcp |
Files
memory/3220-0-0x00000000021C0000-0x00000000021D2000-memory.dmp
memory/3220-4-0x00000000021E0000-0x00000000021F0000-memory.dmp
memory/3220-7-0x0000000000640000-0x000000000064F000-memory.dmp
memory/2024-9-0x0000014FCD780000-0x0000014FCD790000-memory.dmp
memory/2024-25-0x0000014FCD880000-0x0000014FCD890000-memory.dmp
memory/2024-41-0x0000014FD5BF0000-0x0000014FD5BF1000-memory.dmp
memory/2024-43-0x0000014FD5C20000-0x0000014FD5C21000-memory.dmp
memory/2024-45-0x0000014FD5D30000-0x0000014FD5D31000-memory.dmp
memory/2024-44-0x0000014FD5C20000-0x0000014FD5C21000-memory.dmp