Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 21:39
Behavioral task
behavioral1
Sample
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe
-
Size
474KB
-
MD5
c9afb54377f7916c283437a2c454b1f7
-
SHA1
b403c67faade94d1297475c73d1f237480cf2292
-
SHA256
0ec4517f2ce8dc1685cd8ea3a2d6c17ed2b4fd90ee7461b03c0313b61f40c169
-
SHA512
6d9a9bf0333d36016403bdedb2c3bc8246c6db595ced86c0d61f14d1875671c82ffc0cd869a5838cd8ea2c152c45df498bf6403a8f3b0a14dc7ab00790663075
-
SSDEEP
6144:weFrEMus74tW3HvPgADDnz/HXnr/vYito7LFDPMTJYhr64Fg0:1tEMus70im7LFPMdV4Fg0
Malware Config
Extracted
emotet
Epoch3
110.36.234.146:80
197.211.244.6:443
125.99.61.162:7080
115.88.70.226:7080
162.241.232.82:8080
194.50.163.106:8080
162.214.27.219:7080
203.150.19.63:443
179.62.18.56:443
93.78.205.196:443
176.58.93.123:80
138.197.140.163:8080
181.113.229.139:990
201.244.125.210:995
186.10.16.244:53
83.169.33.157:8080
45.33.1.161:8080
186.117.174.26:80
186.93.167.147:443
148.240.52.172:80
186.29.155.101:50000
190.92.103.7:80
113.52.135.33:7080
70.45.30.28:80
5.189.148.98:8080
181.55.171.237:8080
143.95.101.72:8080
190.55.86.138:8443
181.165.150.211:143
190.96.118.15:443
190.117.206.153:443
41.60.202.26:22
216.70.88.55:8080
139.59.242.76:8080
190.13.146.47:443
178.249.187.150:7080
190.55.39.215:80
200.114.134.8:20
78.109.34.178:443
46.32.229.152:8080
216.154.222.52:7080
181.230.126.152:8090
152.170.220.95:80
51.38.134.203:8080
94.177.253.126:80
108.179.216.46:8080
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
durableshell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat durableshell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exedurableshell.exedurableshell.exec9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language durableshell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language durableshell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
durableshell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AF469138-DD2B-4F64-A17C-42E32B166255}\fe-ce-c6-af-2b-aa durableshell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-ce-c6-af-2b-aa\WpadDecisionReason = "1" durableshell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix durableshell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" durableshell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 durableshell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AF469138-DD2B-4F64-A17C-42E32B166255} durableshell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AF469138-DD2B-4F64-A17C-42E32B166255}\WpadDecisionTime = 002039055cfada01 durableshell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-ce-c6-af-2b-aa durableshell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" durableshell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" durableshell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad durableshell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-ce-c6-af-2b-aa\WpadDecision = "0" durableshell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings durableshell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections durableshell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 durableshell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AF469138-DD2B-4F64-A17C-42E32B166255}\WpadDecisionReason = "1" durableshell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AF469138-DD2B-4F64-A17C-42E32B166255}\WpadDecision = "0" durableshell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AF469138-DD2B-4F64-A17C-42E32B166255}\WpadNetworkName = "Network 3" durableshell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-ce-c6-af-2b-aa\WpadDecisionTime = 002039055cfada01 durableshell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 durableshell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings durableshell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
durableshell.exepid process 1448 durableshell.exe 1448 durableshell.exe 1448 durableshell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exepid process 2480 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exec9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exedurableshell.exedurableshell.exepid process 2244 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe 2480 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe 2264 durableshell.exe 1448 durableshell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exedurableshell.exedescription pid process target process PID 2244 wrote to memory of 2480 2244 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe PID 2244 wrote to memory of 2480 2244 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe PID 2244 wrote to memory of 2480 2244 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe PID 2244 wrote to memory of 2480 2244 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe PID 2264 wrote to memory of 1448 2264 durableshell.exe durableshell.exe PID 2264 wrote to memory of 1448 2264 durableshell.exe durableshell.exe PID 2264 wrote to memory of 1448 2264 durableshell.exe durableshell.exe PID 2264 wrote to memory of 1448 2264 durableshell.exe durableshell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe--61aad23b2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:2480
-
C:\Windows\SysWOW64\durableshell.exe"C:\Windows\SysWOW64\durableshell.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\durableshell.exe--74327672⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1448