Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 17:04

General

  • Target

    814fd7dd657a0c3fdbd63dd762634a6d_JaffaCakes118.exe

  • Size

    138KB

  • MD5

    814fd7dd657a0c3fdbd63dd762634a6d

  • SHA1

    de67297a468a001d498d159f733ce0a2af09b47a

  • SHA256

    73076f6e3b3991be8b21d656e8447799b399c1991eef83d31a2c339994ed540b

  • SHA512

    63d668cf44e34f1637a11997b436fb000e4a5eef6cf0f2cd72077a03037bad865ab5819b2000bc38cb02bd356f4d8b0e5ed8dd588e77b865e6853be130db54c8

  • SSDEEP

    3072:iiUOvpJ/ogu1pMQWqNgL4xuEQsxqzdL1y2xknIk2d+:i3OvDowQWqi6LQd/y2xkH

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

67.10.155.92:80

38.111.46.46:8080

134.209.36.254:8080

162.241.242.173:8080

2.84.135.163:80

94.1.108.190:443

140.186.212.146:80

95.179.229.244:8080

200.114.213.233:8080

113.61.66.94:80

190.240.194.77:443

61.19.246.238:443

110.5.16.198:80

83.169.36.251:8080

37.187.72.193:8080

176.111.60.55:8080

85.105.205.77:8080

168.235.67.138:7080

200.123.150.89:443

87.106.139.101:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\814fd7dd657a0c3fdbd63dd762634a6d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\814fd7dd657a0c3fdbd63dd762634a6d_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\AltTab\ieetwproxystub.exe
      "C:\Windows\SysWOW64\AltTab\ieetwproxystub.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\AltTab\ieetwproxystub.exe

    Filesize

    138KB

    MD5

    814fd7dd657a0c3fdbd63dd762634a6d

    SHA1

    de67297a468a001d498d159f733ce0a2af09b47a

    SHA256

    73076f6e3b3991be8b21d656e8447799b399c1991eef83d31a2c339994ed540b

    SHA512

    63d668cf44e34f1637a11997b436fb000e4a5eef6cf0f2cd72077a03037bad865ab5819b2000bc38cb02bd356f4d8b0e5ed8dd588e77b865e6853be130db54c8

  • memory/1744-7-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

  • memory/1744-4-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

  • memory/1744-0-0x0000000000240000-0x0000000000252000-memory.dmp

    Filesize

    72KB

  • memory/1744-8-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB