Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2024, 18:39 UTC

General

  • Target

    d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe

  • Size

    288KB

  • MD5

    d8d18567b40fbee90913a4b008b88e7c

  • SHA1

    68be501b78a3061002d8408266158133e4a828be

  • SHA256

    8408c508c573b2ebdb26edeb8d1b3af69b3332eba46fce8d709e57fbbbd05996

  • SHA512

    1f53133012ed28913cbb12bf18e5ee017d66b99d8eabd1ed8396c9e8711a62fbacdffbb461489f1407393fd8616c7890e6ded43ad522a1a873dee0f2d826d632

  • SSDEEP

    3072:xgtXFcfm+C/fVYUu891mdExP/LOGKSmeHgA+QbigANLtWLaNdVwdociDtKZ+Hqls:xgtX6i/fmUu7dE1L5TmBNNVLtKXDbmS

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

190.192.39.136:80

5.189.168.53:8080

162.241.41.111:7080

190.85.46.52:7080

190.190.15.20:80

181.95.133.104:80

41.212.89.128:80

115.176.16.221:80

143.95.101.72:8080

75.127.14.170:8080

116.202.10.123:8080

74.208.173.91:8080

103.93.220.182:80

50.116.78.109:8080

67.121.104.51:20

180.26.62.115:443

139.59.12.63:8080

76.18.16.210:80

113.161.148.81:80

5.79.70.250:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1220

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    90.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.210.23.2.in-addr.arpa
    IN PTR
    Response
    90.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-90deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    193.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    193.142.123.92.in-addr.arpa
    IN PTR
    Response
    193.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-193deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 190.192.39.136:80
    d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe
    260 B
    5
  • 5.189.168.53:8080
    d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe
    260 B
    5
  • 162.241.41.111:7080
    d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe
    260 B
    5
  • 52.111.243.31:443
    322 B
    7
  • 190.85.46.52:7080
    d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe
    260 B
    5
  • 190.190.15.20:80
    d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe
    260 B
    5
  • 181.95.133.104:80
    d8d18567b40fbee90913a4b008b88e7c_JaffaCakes118.exe
    260 B
    5
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    90.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    90.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    193.142.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    193.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1220-0-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

  • memory/1220-7-0x0000000002300000-0x000000000230F000-memory.dmp

    Filesize

    60KB

  • memory/1220-4-0x0000000002970000-0x0000000002980000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.