Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
3dc75bc9ba57c18bf88663963bbb50c7_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
3dc75bc9ba57c18bf88663963bbb50c7_JaffaCakes118.dll
-
Size
609KB
-
MD5
3dc75bc9ba57c18bf88663963bbb50c7
-
SHA1
e2cc25dd118d3aef3ff2ec1970ea39e2bd88b85f
-
SHA256
65f14ae4b0e869f72896fc712347ddc8fe9466c2f1109924c0db5e1bbe66ca36
-
SHA512
5c12cdf68a220286d55a1e74adb76e61fac620813e9d64def72ea50f0a7fda307312ce6c771a8a6e0a6fdff60f8fe38bbeecf94c1599e9f46430e9184c537972
-
SSDEEP
12288:4YzchQVZnkmt/70MWugxPJZFpf0c1pHRbdJxUR9rNXZL4:L4KV5Hpt8bZHLHnM919
Malware Config
Extracted
emotet
Epoch3
190.55.186.229:80
203.157.152.9:7080
157.245.145.87:443
132.248.38.158:80
110.172.180.180:8080
70.32.89.105:8080
161.49.84.2:80
37.46.129.215:8080
50.116.78.109:8080
115.79.195.246:80
178.62.254.156:8080
175.103.38.146:80
188.226.165.170:8080
91.93.3.85:8080
162.144.145.58:8080
117.2.139.117:443
190.85.46.52:7080
201.193.160.196:80
152.32.75.74:443
195.201.56.70:8080
192.210.217.94:8080
91.83.93.103:443
172.104.46.84:8080
201.212.61.66:80
186.96.170.61:80
74.208.173.91:8080
182.73.7.59:8080
139.59.12.63:8080
211.110.229.161:8080
122.116.104.238:8443
223.17.215.76:80
195.159.28.244:8080
82.78.179.117:443
2.58.16.86:8080
65.32.168.171:80
58.27.215.3:8080
179.233.3.89:80
190.19.169.69:443
203.160.167.243:80
178.254.36.182:8080
202.29.237.113:8080
79.133.6.236:8080
103.93.220.182:80
88.58.209.2:80
24.230.124.78:80
203.56.191.129:8080
186.146.229.172:80
91.75.75.46:80
68.133.75.203:8080
103.229.73.17:8080
116.202.10.123:8080
139.59.61.215:443
46.105.131.68:8080
2.82.75.215:80
75.127.14.170:8080
120.51.34.254:80
185.142.236.163:443
139.5.101.203:80
203.153.216.178:7080
188.166.220.180:7080
178.33.167.120:8080
162.144.42.60:8080
201.163.74.204:80
103.80.51.61:8080
49.206.16.156:80
78.90.78.210:80
110.37.224.243:80
27.78.27.110:443
190.18.184.113:80
172.193.14.201:80
192.163.221.191:8080
157.7.164.178:8081
183.91.3.63:80
109.99.146.210:8080
54.38.143.245:8080
192.241.220.183:8080
180.148.4.130:8080
190.107.118.125:80
8.4.9.137:8080
163.53.204.180:443
143.95.101.72:8080
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 1 5036 rundll32.exe 2 5036 rundll32.exe 3 5036 rundll32.exe 4 5036 rundll32.exe 5 5036 rundll32.exe 6 5036 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2616 rundll32.exe 5036 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ajiogtmft\czfhtyhv.uwq rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
rundll32.exepid process 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2940 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 1276 wrote to memory of 2940 1276 rundll32.exe rundll32.exe PID 1276 wrote to memory of 2940 1276 rundll32.exe rundll32.exe PID 1276 wrote to memory of 2940 1276 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2616 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2616 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2616 2940 rundll32.exe rundll32.exe PID 2616 wrote to memory of 5036 2616 rundll32.exe rundll32.exe PID 2616 wrote to memory of 5036 2616 rundll32.exe rundll32.exe PID 2616 wrote to memory of 5036 2616 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3dc75bc9ba57c18bf88663963bbb50c7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3dc75bc9ba57c18bf88663963bbb50c7_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ajiogtmft\czfhtyhv.uwq",wCVgSXjKHCtROAh3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ajiogtmft\czfhtyhv.uwq",#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
609KB
MD53dc75bc9ba57c18bf88663963bbb50c7
SHA1e2cc25dd118d3aef3ff2ec1970ea39e2bd88b85f
SHA25665f14ae4b0e869f72896fc712347ddc8fe9466c2f1109924c0db5e1bbe66ca36
SHA5125c12cdf68a220286d55a1e74adb76e61fac620813e9d64def72ea50f0a7fda307312ce6c771a8a6e0a6fdff60f8fe38bbeecf94c1599e9f46430e9184c537972