Analysis Overview
SHA256
dda9f44bce3400c926aa5263bf9640dbdb6599f5f33db219deac1da0de4568fa
Threat Level: Known bad
The file b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 19:47
Reported
2024-06-17 19:50
Platform
win7-20240419-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\wsatrns.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\32-0d-03-16-96-cc | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F} | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecision = "0" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00dc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecisionTime = e0db3149efc0da01 | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecisionReason = "1" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecisionTime = e0db3149efc0da01 | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecision = "0" | C:\Windows\SysWOW64\wsatrns.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wsatrns.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wsatrns.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wsatrns.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe
--e879b88c
C:\Windows\SysWOW64\wsatrns.exe
"C:\Windows\SysWOW64\wsatrns.exe"
C:\Windows\SysWOW64\wsatrns.exe
--c0e3ccde
Network
| Country | Destination | Domain | Proto |
| US | 63.248.198.8:80 | tcp | |
| US | 63.248.198.8:80 | tcp | |
| BR | 189.19.81.181:443 | tcp | |
| BR | 189.19.81.181:443 | tcp | |
| BG | 130.204.247.253:80 | tcp | |
| BG | 130.204.247.253:80 | tcp |
Files
memory/1992-5-0x00000000002B0000-0x00000000002C1000-memory.dmp
memory/1992-0-0x00000000002D0000-0x00000000002E7000-memory.dmp
memory/2412-6-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2412-7-0x00000000002E0000-0x00000000002F7000-memory.dmp
memory/1780-12-0x0000000000340000-0x0000000000357000-memory.dmp
memory/2412-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2440-18-0x00000000003C0000-0x00000000003D7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 19:47
Reported
2024-06-17 19:50
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\hantprint.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\hantprint.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\hantprint.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\hantprint.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\hantprint.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\hantprint.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\hantprint.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hantprint.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 3860 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe |
| PID 1924 wrote to memory of 3860 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe |
| PID 1924 wrote to memory of 3860 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe |
| PID 1548 wrote to memory of 4224 | N/A | C:\Windows\SysWOW64\hantprint.exe | C:\Windows\SysWOW64\hantprint.exe |
| PID 1548 wrote to memory of 4224 | N/A | C:\Windows\SysWOW64\hantprint.exe | C:\Windows\SysWOW64\hantprint.exe |
| PID 1548 wrote to memory of 4224 | N/A | C:\Windows\SysWOW64\hantprint.exe | C:\Windows\SysWOW64\hantprint.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe
--e879b88c
C:\Windows\SysWOW64\hantprint.exe
"C:\Windows\SysWOW64\hantprint.exe"
C:\Windows\SysWOW64\hantprint.exe
--4abf4a64
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 63.248.198.8:80 | tcp | |
| BR | 189.19.81.181:443 | tcp | |
| BG | 130.204.247.253:80 | tcp | |
| US | 96.126.121.64:443 | tcp | |
| US | 104.236.137.72:8080 | tcp | |
| GB | 85.234.143.94:8080 | tcp |
Files
memory/1924-0-0x0000000002210000-0x0000000002211000-memory.dmp
memory/1924-1-0x0000000002380000-0x0000000002397000-memory.dmp
memory/1924-6-0x0000000002360000-0x0000000002371000-memory.dmp
memory/3860-7-0x0000000002220000-0x0000000002237000-memory.dmp
memory/1548-13-0x0000000000CE0000-0x0000000000CF7000-memory.dmp
memory/4224-19-0x0000000000590000-0x00000000005A7000-memory.dmp
memory/3860-24-0x0000000000400000-0x0000000000438000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\01edac8cae020cd42786e051ebe37b67_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
| MD5 | 5f22af36aff2e43cacf9a56ba4166900 |
| SHA1 | 914ede992f5edd5523a3a127a88f7bca60c69665 |
| SHA256 | e0671a7dbf4fca7d937ff1300471c5823a57786710faba9f85daf9e843281e3a |
| SHA512 | f7fd666c6dcdae2bf235bb2b00791cf00519579e3181e5e3fd67e70c9a4027d48335b6498f6116efa5e513b7750b0eebeb484a63555d277939923bb48d4f3bc8 |