Analysis Overview
SHA256
b6f2457e50dc2fdd2cf809ebf63577c7277e0e26bf8e87188572c01d96d48f97
Threat Level: Known bad
The file b750b69afc2060ebe72189e35206ee61_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 07:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 07:09
Reported
2024-06-17 07:11
Platform
win7-20240611-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Emotet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe |
| PID 1916 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe |
| PID 1916 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe |
| PID 1916 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe"
C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe
"C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe"
Network
| Country | Destination | Domain | Proto |
| US | 50.121.220.50:80 | tcp | |
| US | 50.121.220.50:80 | tcp | |
| PL | 51.75.33.122:80 | tcp | |
| PL | 51.75.33.122:80 | tcp | |
| FR | 54.37.42.48:8080 | tcp | |
| FR | 54.37.42.48:8080 | tcp | |
| FR | 91.121.54.71:8080 | tcp |
Files
memory/1916-5-0x0000000000350000-0x0000000000359000-memory.dmp
memory/1916-4-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1916-0-0x0000000000360000-0x000000000036C000-memory.dmp
C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe
| MD5 | b750b69afc2060ebe72189e35206ee61 |
| SHA1 | 1f355fc7602c06d7d6993405dc390e14e694bbe5 |
| SHA256 | b6f2457e50dc2fdd2cf809ebf63577c7277e0e26bf8e87188572c01d96d48f97 |
| SHA512 | 12d80020d91bc67c40edf05b201913a509f98fd1905ba8ac8b05ebeb8c0ac25181d68b5840bc119f2bee1b13d4f0c3fe761d21c84175f8a75bd43926e32809cf |
memory/1916-7-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2320-8-0x0000000000270000-0x000000000027C000-memory.dmp
memory/2320-12-0x0000000000270000-0x000000000027C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 07:09
Reported
2024-06-17 07:11
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Emotet
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 50.121.220.50:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| PL | 51.75.33.122:80 | tcp | |
| FR | 54.37.42.48:8080 | tcp | |
| FR | 91.121.54.71:8080 | tcp | |
| FR | 83.169.21.32:7080 | tcp | |
| CA | 68.69.155.181:80 | tcp |
Files
memory/4640-0-0x00000000007C0000-0x00000000007CC000-memory.dmp
memory/4640-5-0x00000000007B0000-0x00000000007B9000-memory.dmp
memory/4640-4-0x0000000000790000-0x0000000000791000-memory.dmp
memory/4640-6-0x00000000007C0000-0x00000000007CC000-memory.dmp