Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 08:14

General

  • Target

    baad30cb86f86401906e4a3388239428_JaffaCakes118.exe

  • Size

    544KB

  • MD5

    baad30cb86f86401906e4a3388239428

  • SHA1

    3d5ef3aa9117c56e1399be3fe3cb4e7b922cb41d

  • SHA256

    98599cc704e7689ef5a8b9b13c4fab8f2fae50f0b776aa9c37633ab33232c63f

  • SHA512

    212c22efc3216c99d0d9eb0df8658d69da73e5efe229aa8d0d18f50db3f779133591d68d999fce1df9b3db9bacf39ddd462ef27dc9ab755a519be822f243a487

  • SSDEEP

    6144:ATp3XYyIMYUTgOBeWoavwiU5yu5g222222222222K7bqPe:ATp3XYBUEOBeGwiUA07bD

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

37.52.87.0:80

87.118.70.45:8080

91.121.54.71:8080

116.125.120.88:443

24.135.198.218:80

103.106.236.83:8080

219.92.13.25:80

89.32.150.160:8080

24.135.1.177:80

82.196.15.205:8080

190.147.137.153:443

170.81.48.2:80

51.159.23.217:443

77.55.211.77:8080

204.225.249.100:7080

191.182.6.118:80

188.2.217.94:80

61.92.159.208:8080

152.169.22.67:80

172.104.169.32:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baad30cb86f86401906e4a3388239428_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\baad30cb86f86401906e4a3388239428_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Windows\SysWOW64\vcomp120\winhttpcom.exe
      "C:\Windows\SysWOW64\vcomp120\winhttpcom.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\vcomp120\winhttpcom.exe
    Filesize

    544KB

    MD5

    baad30cb86f86401906e4a3388239428

    SHA1

    3d5ef3aa9117c56e1399be3fe3cb4e7b922cb41d

    SHA256

    98599cc704e7689ef5a8b9b13c4fab8f2fae50f0b776aa9c37633ab33232c63f

    SHA512

    212c22efc3216c99d0d9eb0df8658d69da73e5efe229aa8d0d18f50db3f779133591d68d999fce1df9b3db9bacf39ddd462ef27dc9ab755a519be822f243a487

  • memory/1372-7-0x00000000023E0000-0x00000000023EC000-memory.dmp
    Filesize

    48KB

  • memory/1372-11-0x00000000023E0000-0x00000000023EC000-memory.dmp
    Filesize

    48KB

  • memory/3272-0-0x00000000022A0000-0x00000000022AC000-memory.dmp
    Filesize

    48KB

  • memory/3272-4-0x00000000007F0000-0x00000000007F9000-memory.dmp
    Filesize

    36KB

  • memory/3272-6-0x0000000000400000-0x000000000048C000-memory.dmp
    Filesize

    560KB