Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/09/2024, 16:57 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
-
Size
667KB
-
MD5
d8a4ac364862a116cff0520ca4da0dc8
-
SHA1
9041842d51c7e6f3e3c1750961d19ff8931dca92
-
SHA256
42697d259cee082f87e9ce9146fe30db05b3acf4c18c684d5674fa27b6d36ff3
-
SHA512
8ff9ecc7c80907f335668d1ae4790ddf87b3dc45ef9a0196a6e706ca742d33f0f4ea6e6beea5de255f63b90673704b5e5a4ff3118c488cfc71ecd3927f401585
-
SSDEEP
12288:76JJG//tnC5VCFSoDpaQlHfl6mCiWDaBMNCpbnG:76J6/tniVNoDgQVN6mCip9pbG
Malware Config
Extracted
emotet
Epoch1
202.22.141.45:80
37.187.161.206:8080
202.29.239.162:443
80.87.201.221:7080
82.76.111.249:443
216.47.196.104:80
192.241.143.52:8080
192.81.38.31:80
87.106.253.248:8080
64.201.88.132:80
192.241.146.84:8080
12.162.84.2:8080
1.226.84.243:8080
177.129.17.170:443
202.134.4.210:7080
70.169.17.134:80
152.169.22.67:80
5.196.35.138:7080
138.97.60.141:7080
203.205.28.68:80
83.169.21.32:7080
191.182.6.118:80
190.188.245.242:80
62.84.75.50:80
181.74.0.251:80
189.2.177.210:443
111.67.12.221:8080
188.135.15.49:80
217.13.106.14:8080
68.183.190.199:8080
178.250.54.208:8080
189.35.44.221:80
201.213.177.139:80
137.74.106.111:7080
177.73.0.98:443
70.32.84.74:8080
51.15.7.145:80
177.74.228.34:80
185.94.252.27:443
50.121.220.50:80
186.70.127.199:8090
85.214.26.7:8080
181.129.96.162:8080
70.32.115.157:8080
82.230.1.24:80
60.93.23.51:80
213.197.182.158:8080
149.202.72.142:7080
190.115.18.139:8080
72.167.223.217:8080
190.24.243.186:80
109.169.12.78:80
94.176.234.118:443
185.232.182.218:80
219.92.13.25:80
209.236.123.42:8080
119.106.216.84:80
51.255.165.160:8080
51.75.33.127:80
51.15.7.189:80
61.197.92.216:80
5.189.178.202:8080
172.104.169.32:8080
45.33.77.42:8080
98.13.75.196:80
74.58.215.226:80
68.183.170.114:8080
155.186.0.121:80
190.117.79.209:80
128.92.203.42:80
202.4.58.197:80
70.116.143.84:80
77.238.212.227:80
67.247.242.247:80
12.163.208.58:80
212.71.237.140:8080
46.43.2.95:8080
96.227.52.8:443
186.103.141.250:443
185.94.252.12:80
104.131.41.185:8080
45.46.37.97:80
95.9.180.128:80
87.106.46.107:8080
50.28.51.143:8080
65.36.62.20:80
35.143.99.174:80
51.38.124.206:80
185.183.16.47:80
181.30.61.163:443
170.81.48.2:80
74.136.144.133:80
Signatures
-
resource yara_rule behavioral2/memory/4576-1-0x0000000000740000-0x0000000000752000-memory.dmp emotet behavioral2/memory/4576-4-0x0000000002240000-0x0000000002250000-memory.dmp emotet behavioral2/memory/4576-7-0x0000000000610000-0x000000000061F000-memory.dmp emotet -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe 4576 d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
Processes
Network
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request4.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTR
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
4.159.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
216 B 137 B 3 1
DNS Request
25.140.123.92.in-addr.arpa
DNS Request
25.140.123.92.in-addr.arpa
DNS Request
25.140.123.92.in-addr.arpa