Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 11:37

General

  • Target

    b868fd2adf4ab2a8e34bdab7e247754d_JaffaCakes118.exe

  • Size

    524KB

  • MD5

    b868fd2adf4ab2a8e34bdab7e247754d

  • SHA1

    54d2ab9058d3f8962079f7a5fd1816db2467f06e

  • SHA256

    eeaf34e1e0d29c9813686ab047ac77009c35e984f60f7ab6126c88036214d416

  • SHA512

    9958d736b13dc7087888ae27aafab0ff5772bb46147b41e8393598b9ccb97c642381bf36f48c15613f83e43e6abad169ab277ce8868c21da829fd727fa58d0c9

  • SSDEEP

    12288:jd5NbNrpPekZ441WNcHnh4ZZFXsQOMyFQm:jddv1WNcHymF

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

174.113.69.136:80

51.38.124.206:80

82.196.15.205:8080

38.88.126.202:8080

190.115.18.139:8080

98.13.75.196:80

181.30.61.163:443

82.76.111.249:443

181.129.96.162:8080

74.58.215.226:80

68.69.155.181:80

188.135.15.49:80

190.163.31.26:80

50.121.220.50:80

51.159.23.217:443

2.47.112.152:80

185.215.227.107:443

217.13.106.14:8080

70.32.115.157:8080

170.81.48.2:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 5 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b868fd2adf4ab2a8e34bdab7e247754d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b868fd2adf4ab2a8e34bdab7e247754d_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\SysWOW64\ROUTE\ShellCommonCommonProxyStub.exe
      "C:\Windows\SysWOW64\ROUTE\ShellCommonCommonProxyStub.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1424
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3048,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
    1⤵
      PID:880

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ROUTE\ShellCommonCommonProxyStub.exe
      Filesize

      524KB

      MD5

      b868fd2adf4ab2a8e34bdab7e247754d

      SHA1

      54d2ab9058d3f8962079f7a5fd1816db2467f06e

      SHA256

      eeaf34e1e0d29c9813686ab047ac77009c35e984f60f7ab6126c88036214d416

      SHA512

      9958d736b13dc7087888ae27aafab0ff5772bb46147b41e8393598b9ccb97c642381bf36f48c15613f83e43e6abad169ab277ce8868c21da829fd727fa58d0c9

    • memory/1424-15-0x00000000006D0000-0x00000000006E0000-memory.dmp
      Filesize

      64KB

    • memory/1424-10-0x00000000009E0000-0x00000000009F2000-memory.dmp
      Filesize

      72KB

    • memory/4580-0-0x0000000000A50000-0x0000000000A62000-memory.dmp
      Filesize

      72KB

    • memory/4580-4-0x0000000000A70000-0x0000000000A80000-memory.dmp
      Filesize

      64KB

    • memory/4580-7-0x0000000000600000-0x000000000060F000-memory.dmp
      Filesize

      60KB

    • memory/4580-9-0x0000000000400000-0x0000000000487000-memory.dmp
      Filesize

      540KB