Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 21:39
Behavioral task
behavioral1
Sample
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe
-
Size
474KB
-
MD5
c9afb54377f7916c283437a2c454b1f7
-
SHA1
b403c67faade94d1297475c73d1f237480cf2292
-
SHA256
0ec4517f2ce8dc1685cd8ea3a2d6c17ed2b4fd90ee7461b03c0313b61f40c169
-
SHA512
6d9a9bf0333d36016403bdedb2c3bc8246c6db595ced86c0d61f14d1875671c82ffc0cd869a5838cd8ea2c152c45df498bf6403a8f3b0a14dc7ab00790663075
-
SSDEEP
6144:weFrEMus74tW3HvPgADDnz/HXnr/vYito7LFDPMTJYhr64Fg0:1tEMus70im7LFPMdV4Fg0
Malware Config
Extracted
emotet
Epoch3
110.36.234.146:80
197.211.244.6:443
125.99.61.162:7080
115.88.70.226:7080
162.241.232.82:8080
194.50.163.106:8080
162.214.27.219:7080
203.150.19.63:443
179.62.18.56:443
93.78.205.196:443
176.58.93.123:80
138.197.140.163:8080
181.113.229.139:990
201.244.125.210:995
186.10.16.244:53
83.169.33.157:8080
45.33.1.161:8080
186.117.174.26:80
186.93.167.147:443
148.240.52.172:80
186.29.155.101:50000
190.92.103.7:80
113.52.135.33:7080
70.45.30.28:80
5.189.148.98:8080
181.55.171.237:8080
143.95.101.72:8080
190.55.86.138:8443
181.165.150.211:143
190.96.118.15:443
190.117.206.153:443
41.60.202.26:22
216.70.88.55:8080
139.59.242.76:8080
190.13.146.47:443
178.249.187.150:7080
190.55.39.215:80
200.114.134.8:20
78.109.34.178:443
46.32.229.152:8080
216.154.222.52:7080
181.230.126.152:8090
152.170.220.95:80
51.38.134.203:8080
94.177.253.126:80
108.179.216.46:8080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
hashcursor.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE hashcursor.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies hashcursor.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 hashcursor.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 hashcursor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exec9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exehashcursor.exehashcursor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hashcursor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hashcursor.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
hashcursor.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix hashcursor.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" hashcursor.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" hashcursor.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
hashcursor.exepid process 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe 2440 hashcursor.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exepid process 5052 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 3980 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3980 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exehashcursor.exedescription pid process target process PID 3356 wrote to memory of 5052 3356 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe PID 3356 wrote to memory of 5052 3356 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe PID 3356 wrote to memory of 5052 3356 c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe PID 748 wrote to memory of 2440 748 hashcursor.exe hashcursor.exe PID 748 wrote to memory of 2440 748 hashcursor.exe hashcursor.exe PID 748 wrote to memory of 2440 748 hashcursor.exe hashcursor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\c9afb54377f7916c283437a2c454b1f7_JaffaCakes118.exe--61aad23b2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:5052
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x3381⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Windows\SysWOW64\hashcursor.exe"C:\Windows\SysWOW64\hashcursor.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\hashcursor.exe--17df2ad62⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2440