Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2024 04:57

General

  • Target

    84e047c50ee442f76d67cdd43a2fff80_JaffaCakes118.dll

  • Size

    614KB

  • MD5

    84e047c50ee442f76d67cdd43a2fff80

  • SHA1

    a746e8c206cadc548f4cdb8631bd009fc0b02143

  • SHA256

    a7419993b8a0708057d31a815a63e3beb3f4c7104f888f18be0a9f980805a999

  • SHA512

    4b4091592294767f2c1ecd44c981267f13befee23cb2acb0601c0b408eadbe245f1e63cb46207f83ced1857e26dfbcc0b4e19f4d1d64cda70cdcb5bbf328bca6

  • SSDEEP

    12288:SYzchQVZnkmt/70MWugxPJZFpf0c1pHjbdJrs2xnd:d4KV5Hpt8bZHLtCA

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

181.165.68.127:80

49.205.182.134:80

190.251.200.206:80

139.59.60.244:8080

119.59.116.21:8080

89.216.122.92:80

185.94.252.104:443

70.92.118.112:80

78.24.219.147:8080

173.70.61.180:80

87.106.139.101:8080

66.57.108.14:443

24.179.13.119:80

121.124.124.40:7080

61.19.246.238:443

200.116.145.225:443

93.146.48.84:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Blocklisted process makes network request 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\84e047c50ee442f76d67cdd43a2fff80_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\84e047c50ee442f76d67cdd43a2fff80_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2852

Network

    No results found
  • 69.38.130.14:80
    rundll32.exe
    152 B
    3
  • 69.38.130.14:80
    rundll32.exe
    152 B
    3
  • 195.159.28.230:8080
    rundll32.exe
    152 B
    3
  • 195.159.28.230:8080
    rundll32.exe
    152 B
    3
  • 162.241.204.233:8080
    rundll32.exe
    152 B
    3
  • 162.241.204.233:8080
    rundll32.exe
    152 B
    3
  • 181.165.68.127:80
    rundll32.exe
    52 B
    1
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2852-1-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2852-0-0x00000000001A0000-0x00000000001C6000-memory.dmp

    Filesize

    152KB

  • memory/2852-2-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

  • memory/2852-4-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2852-7-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.