Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 16:56 UTC
Static task
static1
Behavioral task
behavioral1
Sample
daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll
-
Size
330KB
-
MD5
daced29f49a5af2480e75eaeca3bc012
-
SHA1
fefb27b90ee0decb47b0586bf53b4c1867566568
-
SHA256
21015477e318c468a094a1409c3d6f4178dcec78b4120e240ffeb2da8dab96e2
-
SHA512
db2e3ef38d203ff604d47e61bc75c6c8bcf378a888f3a8905b0acc23328ee71442f7ced38e71f39ac9f5422d546feef418ab768d4f81cf45bc18fb45d057d57c
-
SSDEEP
3072:gRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2F5j8eFu:qq1sFAwgwmBv3wnIgG4oAYxvU54eu
Malware Config
Extracted
emotet
Epoch3
190.55.186.229:80
203.157.152.9:7080
157.245.145.87:443
109.99.146.210:8080
116.202.10.123:8080
172.96.190.154:8080
163.53.204.180:443
190.107.118.125:80
91.93.3.85:8080
185.142.236.163:443
115.79.195.246:80
120.51.34.254:80
192.210.217.94:8080
198.20.228.9:8080
91.75.75.46:80
54.38.143.245:8080
161.49.84.2:80
162.144.145.58:8080
178.33.167.120:8080
201.193.160.196:80
143.95.101.72:8080
37.205.9.252:7080
178.62.254.156:8080
103.80.51.61:8080
74.208.173.91:8080
203.153.216.178:7080
152.32.75.74:443
37.46.129.215:8080
70.32.89.105:8080
179.233.3.89:80
132.248.38.158:80
103.229.73.17:8080
2.58.16.86:8080
82.78.179.117:443
139.59.61.215:443
75.127.14.170:8080
78.90.78.210:80
122.116.104.238:8443
5.79.70.250:8080
182.73.7.59:8080
192.163.221.191:8080
139.59.12.63:8080
190.19.169.69:443
58.27.215.3:8080
201.163.74.204:80
175.103.38.146:80
139.5.101.203:80
201.212.61.66:80
117.2.139.117:443
186.96.170.61:80
50.116.78.109:8080
68.133.75.203:8080
183.91.3.63:80
65.32.168.171:80
172.104.46.84:8080
27.78.27.110:443
172.193.14.201:80
103.93.220.182:80
49.206.16.156:80
223.17.215.76:80
203.56.191.129:8080
195.159.28.244:8080
195.201.56.70:8080
110.37.224.243:80
110.172.180.180:8080
188.166.220.180:7080
180.148.4.130:8080
157.7.164.178:8081
88.58.209.2:80
91.83.93.103:443
24.230.124.78:80
8.4.9.137:8080
203.160.167.243:80
192.241.220.183:8080
79.133.6.236:8080
186.146.229.172:80
46.105.131.68:8080
178.254.36.182:8080
46.32.229.152:8080
202.29.237.113:8080
185.208.226.142:8080
2.82.75.215:80
190.85.46.52:7080
190.18.184.113:80
188.226.165.170:8080
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 3 2252 rundll32.exe 7 2252 rundll32.exe 8 2252 rundll32.exe 11 2252 rundll32.exe 12 2252 rundll32.exe 14 2252 rundll32.exe 15 2252 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 588 wrote to memory of 2252 588 rundll32.exe 30 PID 588 wrote to memory of 2252 588 rundll32.exe 30 PID 588 wrote to memory of 2252 588 rundll32.exe 30 PID 588 wrote to memory of 2252 588 rundll32.exe 30 PID 588 wrote to memory of 2252 588 rundll32.exe 30 PID 588 wrote to memory of 2252 588 rundll32.exe 30 PID 588 wrote to memory of 2252 588 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
Network
-
Remote address:157.245.145.87:443RequestPOST /vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/ HTTP/1.1
DNT: 0
Referer: 157.245.145.87/vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/
Content-Type: multipart/form-data; boundary=----------------wszjZ1S4lYMhpzCX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 157.245.145.87:443
Content-Length: 6004
Connection: Keep-Alive
Cache-Control: no-cache
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
157.245.145.87:443http://157.245.145.87:443/vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/httprundll32.exe6.3kB 172 B 8 4
HTTP Request
POST http://157.245.145.87:443/vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/ -
152 B 3
-
152 B 3