Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe
-
Size
124KB
-
MD5
7076e0ee7067b569dd68459242fbf3c3
-
SHA1
6c5fd714ddbdf1f2ccf4af9001836ca48ec60778
-
SHA256
000376a4b234f57ae0f1fb959817486040d7d8d8be1fbcb627e0102147192fc6
-
SHA512
8cca43a613a71a85427f62371e7a54b884070c0cd4ae19092a4d86120d46776326346b38d824cbff52256f596aa621ebeb20e5d52f841f8af97204fc134f76e4
-
SSDEEP
1536:xv5a3UtQx1HWNe3dUXuQbwobwRBzT70IwSnX6hK4J3z46wTEEaP8tQhzc8:gUM1HWN2owSwRfweXdQD46wQEl2ho
Malware Config
Extracted
emotet
Epoch2
67.225.229.55:8080
185.14.187.201:8080
45.79.188.67:8080
62.75.187.192:8080
41.220.119.246:80
173.212.203.26:8080
80.11.163.139:443
211.63.71.72:8080
188.166.253.46:8080
115.78.95.230:443
63.142.253.122:8080
95.128.43.213:8080
189.209.217.49:80
149.167.86.174:990
88.156.97.210:80
142.44.162.209:8080
80.11.163.139:21
190.226.44.20:21
186.4.172.5:8080
212.71.234.16:8080
45.33.49.124:443
31.172.240.91:8080
5.196.74.210:8080
104.236.246.93:8080
182.176.132.213:8090
185.94.252.13:443
103.97.95.218:143
200.71.148.138:8080
186.75.241.230:80
201.251.43.69:8080
91.205.215.66:8080
178.254.6.27:7080
190.53.135.159:21
85.104.59.244:20
92.222.216.44:8080
159.65.25.128:8080
88.247.163.44:80
27.147.163.188:8080
149.202.153.252:8080
86.98.25.30:53
83.136.245.190:8080
190.145.67.134:8090
104.131.11.150:8080
103.255.150.84:80
92.233.128.13:143
138.201.140.110:8080
190.18.146.70:80
186.4.172.5:20
144.139.247.220:80
181.143.194.138:443
190.106.97.230:443
85.54.169.141:8080
87.106.136.232:8080
101.187.237.217:20
87.106.139.101:8080
78.188.105.159:21
217.160.182.191:8080
186.4.172.5:443
31.12.67.62:7080
190.228.72.244:53
136.243.177.26:8080
222.214.218.192:8080
45.123.3.54:443
190.211.207.11:443
94.205.247.10:80
187.144.189.58:50000
92.222.125.16:7080
46.105.131.87:80
27.4.80.183:443
178.79.161.166:443
119.15.153.237:80
206.189.98.125:8080
47.41.213.2:22
169.239.182.217:8080
85.106.1.166:50000
78.24.219.147:8080
37.157.194.134:443
190.108.228.48:990
190.186.203.55:80
124.240.198.66:80
182.176.106.43:995
181.143.53.227:21
181.31.213.158:8080
199.19.237.192:80
182.76.6.2:8080
179.32.19.219:22
24.51.106.145:21
217.145.83.44:80
87.230.19.21:8080
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat skipsvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skipsvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skipsvcs.exe -
Modifies data under HKEY_USERS 25 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings skipsvcs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-06-76-18-74-9c\WpadDecision = "0" skipsvcs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8AF6AF-DB85-4D79-A48A-AB7771DC14C7}\WpadDecisionTime = d08be256b4deda01 skipsvcs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings skipsvcs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8AF6AF-DB85-4D79-A48A-AB7771DC14C7}\WpadNetworkName = "Network 3" skipsvcs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-06-76-18-74-9c\WpadDecisionReason = "1" skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-06-76-18-74-9c\WpadDecisionTime = d08be256b4deda01 skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-06-76-18-74-9c\WpadDecisionTime = d03b3491b4deda01 skipsvcs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix skipsvcs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" skipsvcs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" skipsvcs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8AF6AF-DB85-4D79-A48A-AB7771DC14C7}\WpadDecisionTime = d03b3491b4deda01 skipsvcs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8AF6AF-DB85-4D79-A48A-AB7771DC14C7}\WpadDecision = "0" skipsvcs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-06-76-18-74-9c skipsvcs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-06-76-18-74-9c\WpadDetectedUrl skipsvcs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections skipsvcs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8AF6AF-DB85-4D79-A48A-AB7771DC14C7}\6e-06-76-18-74-9c skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 skipsvcs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8AF6AF-DB85-4D79-A48A-AB7771DC14C7} skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 skipsvcs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 skipsvcs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8AF6AF-DB85-4D79-A48A-AB7771DC14C7}\WpadDecisionReason = "1" skipsvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2216 skipsvcs.exe 2216 skipsvcs.exe 2216 skipsvcs.exe 2216 skipsvcs.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2508 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2348 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 2508 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 1704 skipsvcs.exe 2216 skipsvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2508 2348 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2508 2348 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2508 2348 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2508 2348 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 31 PID 1704 wrote to memory of 2216 1704 skipsvcs.exe 33 PID 1704 wrote to memory of 2216 1704 skipsvcs.exe 33 PID 1704 wrote to memory of 2216 1704 skipsvcs.exe 33 PID 1704 wrote to memory of 2216 1704 skipsvcs.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe--cac2d5722⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Windows\SysWOW64\skipsvcs.exe"C:\Windows\SysWOW64\skipsvcs.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\skipsvcs.exe--522180242⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2216
-