Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 01:46

General

  • Target

    31710348963869972d277ab755c1d3bd_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    31710348963869972d277ab755c1d3bd

  • SHA1

    7d6eb28a231c5ede078b5ba4085ff6c2aa6e82ba

  • SHA256

    7d746b414cb874189c64db632c4914dad2ad6251ee9e7842629b025291a304e0

  • SHA512

    784ccb732cdcd08d14f57d04d1447a7a29500c8ec966b7f918c11548f3b72d2d1f5fc04dce4666541697edfbebe742ef08746aefa6b65ed74ef044a14cae53c6

  • SSDEEP

    3072:Gj5biIjgM9Fl5NQaeJwGEr8UbPchbdyC:yNjgCFRe2xgI0hb

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

38.18.235.242:80

5.196.108.189:8080

121.124.124.40:7080

104.236.246.93:8080

113.61.66.94:80

120.150.60.189:80

91.211.88.52:7080

47.144.21.12:443

108.46.29.236:80

139.162.108.71:8080

134.209.36.254:8080

139.59.60.244:8080

66.65.136.14:80

76.175.162.101:80

174.106.122.139:80

95.213.236.64:8080

174.45.13.118:80

50.35.17.13:80

209.141.54.221:8080

87.106.139.101:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 5 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31710348963869972d277ab755c1d3bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31710348963869972d277ab755c1d3bd_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Windows\SysWOW64\RstrtMgr\shfolder.exe
      "C:\Windows\SysWOW64\RstrtMgr\shfolder.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3896

Network

  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    122.10.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    122.10.44.20.in-addr.arpa
    IN PTR
    Response
  • 38.18.235.242:80
    shfolder.exe
    260 B
    5
  • 5.196.108.189:8080
    shfolder.exe
    260 B
    5
  • 121.124.124.40:7080
    shfolder.exe
    260 B
    200 B
    5
    5
  • 104.236.246.93:8080
    shfolder.exe
    260 B
    5
  • 113.61.66.94:80
    shfolder.exe
    260 B
    5
  • 120.150.60.189:80
    shfolder.exe
    260 B
    5
  • 91.211.88.52:7080
    shfolder.exe
    208 B
    4
  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    122.10.44.20.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    122.10.44.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\RstrtMgr\shfolder.exe

    Filesize

    160KB

    MD5

    31710348963869972d277ab755c1d3bd

    SHA1

    7d6eb28a231c5ede078b5ba4085ff6c2aa6e82ba

    SHA256

    7d746b414cb874189c64db632c4914dad2ad6251ee9e7842629b025291a304e0

    SHA512

    784ccb732cdcd08d14f57d04d1447a7a29500c8ec966b7f918c11548f3b72d2d1f5fc04dce4666541697edfbebe742ef08746aefa6b65ed74ef044a14cae53c6

  • memory/3848-0-0x00000000008B0000-0x00000000008C2000-memory.dmp

    Filesize

    72KB

  • memory/3848-4-0x0000000000480000-0x0000000000490000-memory.dmp

    Filesize

    64KB

  • memory/3848-7-0x0000000000470000-0x000000000047F000-memory.dmp

    Filesize

    60KB

  • memory/3848-16-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3896-13-0x00000000004B0000-0x00000000004C0000-memory.dmp

    Filesize

    64KB

  • memory/3896-9-0x0000000000480000-0x0000000000492000-memory.dmp

    Filesize

    72KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.