Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe
-
Size
124KB
-
MD5
7076e0ee7067b569dd68459242fbf3c3
-
SHA1
6c5fd714ddbdf1f2ccf4af9001836ca48ec60778
-
SHA256
000376a4b234f57ae0f1fb959817486040d7d8d8be1fbcb627e0102147192fc6
-
SHA512
8cca43a613a71a85427f62371e7a54b884070c0cd4ae19092a4d86120d46776326346b38d824cbff52256f596aa621ebeb20e5d52f841f8af97204fc134f76e4
-
SSDEEP
1536:xv5a3UtQx1HWNe3dUXuQbwobwRBzT70IwSnX6hK4J3z46wTEEaP8tQhzc8:gUM1HWN2owSwRfweXdQD46wQEl2ho
Malware Config
Extracted
emotet
Epoch2
67.225.229.55:8080
185.14.187.201:8080
45.79.188.67:8080
62.75.187.192:8080
41.220.119.246:80
173.212.203.26:8080
80.11.163.139:443
211.63.71.72:8080
188.166.253.46:8080
115.78.95.230:443
63.142.253.122:8080
95.128.43.213:8080
189.209.217.49:80
149.167.86.174:990
88.156.97.210:80
142.44.162.209:8080
80.11.163.139:21
190.226.44.20:21
186.4.172.5:8080
212.71.234.16:8080
45.33.49.124:443
31.172.240.91:8080
5.196.74.210:8080
104.236.246.93:8080
182.176.132.213:8090
185.94.252.13:443
103.97.95.218:143
200.71.148.138:8080
186.75.241.230:80
201.251.43.69:8080
91.205.215.66:8080
178.254.6.27:7080
190.53.135.159:21
85.104.59.244:20
92.222.216.44:8080
159.65.25.128:8080
88.247.163.44:80
27.147.163.188:8080
149.202.153.252:8080
86.98.25.30:53
83.136.245.190:8080
190.145.67.134:8090
104.131.11.150:8080
103.255.150.84:80
92.233.128.13:143
138.201.140.110:8080
190.18.146.70:80
186.4.172.5:20
144.139.247.220:80
181.143.194.138:443
190.106.97.230:443
85.54.169.141:8080
87.106.136.232:8080
101.187.237.217:20
87.106.139.101:8080
78.188.105.159:21
217.160.182.191:8080
186.4.172.5:443
31.12.67.62:7080
190.228.72.244:53
136.243.177.26:8080
222.214.218.192:8080
45.123.3.54:443
190.211.207.11:443
94.205.247.10:80
187.144.189.58:50000
92.222.125.16:7080
46.105.131.87:80
27.4.80.183:443
178.79.161.166:443
119.15.153.237:80
206.189.98.125:8080
47.41.213.2:22
169.239.182.217:8080
85.106.1.166:50000
78.24.219.147:8080
37.157.194.134:443
190.108.228.48:990
190.186.203.55:80
124.240.198.66:80
182.176.106.43:995
181.143.53.227:21
181.31.213.158:8080
199.19.237.192:80
182.76.6.2:8080
179.32.19.219:22
24.51.106.145:21
217.145.83.44:80
87.230.19.21:8080
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE enginechx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies enginechx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 enginechx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 enginechx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enginechx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enginechx.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix enginechx.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" enginechx.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" enginechx.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe 1280 enginechx.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4212 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3804 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 4212 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 3460 enginechx.exe 1280 enginechx.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3804 wrote to memory of 4212 3804 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 84 PID 3804 wrote to memory of 4212 3804 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 84 PID 3804 wrote to memory of 4212 3804 7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe 84 PID 3460 wrote to memory of 1280 3460 enginechx.exe 94 PID 3460 wrote to memory of 1280 3460 enginechx.exe 94 PID 3460 wrote to memory of 1280 3460 enginechx.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\7076e0ee7067b569dd68459242fbf3c3_JaffaCakes118.exe--cac2d5722⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:4212
-
-
C:\Windows\SysWOW64\enginechx.exe"C:\Windows\SysWOW64\enginechx.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\enginechx.exe--ba318aa72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1280
-