Analysis

  • max time kernel
    138s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 16:56 UTC

General

  • Target

    daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll

  • Size

    330KB

  • MD5

    daced29f49a5af2480e75eaeca3bc012

  • SHA1

    fefb27b90ee0decb47b0586bf53b4c1867566568

  • SHA256

    21015477e318c468a094a1409c3d6f4178dcec78b4120e240ffeb2da8dab96e2

  • SHA512

    db2e3ef38d203ff604d47e61bc75c6c8bcf378a888f3a8905b0acc23328ee71442f7ced38e71f39ac9f5422d546feef418ab768d4f81cf45bc18fb45d057d57c

  • SSDEEP

    3072:gRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2F5j8eFu:qq1sFAwgwmBv3wnIgG4oAYxvU54eu

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

190.55.186.229:80

203.157.152.9:7080

157.245.145.87:443

109.99.146.210:8080

116.202.10.123:8080

172.96.190.154:8080

163.53.204.180:443

190.107.118.125:80

91.93.3.85:8080

185.142.236.163:443

115.79.195.246:80

120.51.34.254:80

192.210.217.94:8080

198.20.228.9:8080

91.75.75.46:80

54.38.143.245:8080

161.49.84.2:80

162.144.145.58:8080

178.33.167.120:8080

201.193.160.196:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Blocklisted process makes network request 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\daced29f49a5af2480e75eaeca3bc012_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2252

Network

  • flag-sg
    POST
    http://157.245.145.87:443/vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/
    rundll32.exe
    Remote address:
    157.245.145.87:443
    Request
    POST /vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/ HTTP/1.1
    DNT: 0
    Referer: 157.245.145.87/vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/
    Content-Type: multipart/form-data; boundary=----------------wszjZ1S4lYMhpzCX
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 157.245.145.87:443
    Content-Length: 6004
    Connection: Keep-Alive
    Cache-Control: no-cache
  • 190.55.186.229:80
    rundll32.exe
    152 B
    3
  • 190.55.186.229:80
    rundll32.exe
    152 B
    3
  • 203.157.152.9:7080
    rundll32.exe
    152 B
    3
  • 203.157.152.9:7080
    rundll32.exe
    152 B
    3
  • 157.245.145.87:443
    http://157.245.145.87:443/vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/
    http
    rundll32.exe
    6.3kB
    172 B
    8
    4

    HTTP Request

    POST http://157.245.145.87:443/vp7bmhfwpb8d/b2i97tdzb/ptb4h4v1/b0qpddebvvy/4tpa5qa/
  • 109.99.146.210:8080
    rundll32.exe
    152 B
    3
  • 109.99.146.210:8080
    rundll32.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2252-0-0x00000000000F0000-0x000000000010F000-memory.dmp

    Filesize

    124KB

  • memory/2252-1-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

  • memory/2252-2-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

  • memory/2252-3-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.