Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2024, 16:57 UTC

General

  • Target

    d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe

  • Size

    667KB

  • MD5

    d8a4ac364862a116cff0520ca4da0dc8

  • SHA1

    9041842d51c7e6f3e3c1750961d19ff8931dca92

  • SHA256

    42697d259cee082f87e9ce9146fe30db05b3acf4c18c684d5674fa27b6d36ff3

  • SHA512

    8ff9ecc7c80907f335668d1ae4790ddf87b3dc45ef9a0196a6e706ca742d33f0f4ea6e6beea5de255f63b90673704b5e5a4ff3118c488cfc71ecd3927f401585

  • SSDEEP

    12288:76JJG//tnC5VCFSoDpaQlHfl6mCiWDaBMNCpbnG:76J6/tniVNoDgQVN6mCip9pbG

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

202.22.141.45:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

82.76.111.249:443

216.47.196.104:80

192.241.143.52:8080

192.81.38.31:80

87.106.253.248:8080

64.201.88.132:80

192.241.146.84:8080

12.162.84.2:8080

1.226.84.243:8080

177.129.17.170:443

202.134.4.210:7080

70.169.17.134:80

152.169.22.67:80

5.196.35.138:7080

138.97.60.141:7080

203.205.28.68:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4576

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
    Response
    25.140.123.92.in-addr.arpa
    IN PTR
    a92-123-140-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
  • 202.22.141.45:80
    d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
    260 B
    5
  • 37.187.161.206:8080
    d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
    260 B
    5
  • 202.29.239.162:443
    d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
    260 B
    5
  • 80.87.201.221:7080
    d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
    260 B
    5
  • 82.76.111.249:443
    d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
    260 B
    5
  • 216.47.196.104:80
    d8a4ac364862a116cff0520ca4da0dc8_JaffaCakes118.exe
    208 B
    4
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    25.140.123.92.in-addr.arpa
    dns
    216 B
    137 B
    3
    1

    DNS Request

    25.140.123.92.in-addr.arpa

    DNS Request

    25.140.123.92.in-addr.arpa

    DNS Request

    25.140.123.92.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4576-1-0x0000000000740000-0x0000000000752000-memory.dmp

    Filesize

    72KB

  • memory/4576-4-0x0000000002240000-0x0000000002250000-memory.dmp

    Filesize

    64KB

  • memory/4576-7-0x0000000000610000-0x000000000061F000-memory.dmp

    Filesize

    60KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.