Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 10:48

General

  • Target

    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    fe5d92e62c84d8e048b224aa42756436

  • SHA1

    5ff10e671fa3064550c0336c402065ba60b22005

  • SHA256

    c0f27ad7fd54e725827d53806ca997783448ed9a0084a4cae5e89e16955caa00

  • SHA512

    7ede3edafd46430fd5935ee7e2f870569905f10227deaf1ca1a017e2f7e5b2ff0d9cb479554ab5a7bc3625f55a7e1acf05451bcdf3c35c8c20cb38b027289157

  • SSDEEP

    3072:I39B5rB3lhmRr4AU94TUBlqOfFIXGWJ/ogu1pMQWqNgL4xuEQsxq:or5o4AG8DOCowQWqi6LQ

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

192.81.38.31:80

51.75.33.127:80

37.157.196.117:7080

116.202.23.3:8080

54.37.42.48:8080

2.36.95.106:80

186.103.141.250:443

192.241.146.84:8080

94.176.234.118:443

12.162.84.2:8080

82.230.1.24:80

98.13.75.196:80

190.190.148.27:8080

177.129.17.170:443

202.4.58.197:80

77.90.136.129:8080

77.106.157.34:8080

95.9.180.128:80

83.169.21.32:7080

212.71.237.140:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2848

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-pl
    POST
    http://51.75.33.127/tW61NfZwQBf/YvYIlxvMQKlb9fG6/tQVYD/s5Jmxxfs/
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    Remote address:
    51.75.33.127:80
    Request
    POST /tW61NfZwQBf/YvYIlxvMQKlb9fG6/tQVYD/s5Jmxxfs/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: keep-alive
    Referer: 51.75.33.127/tW61NfZwQBf/YvYIlxvMQKlb9fG6/tQVYD/s5Jmxxfs/
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=---------------6DWIuhs6unefliR
    Host: 51.75.33.127
    Content-Length: 4596
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.24.0
    Date: Sun, 29 Sep 2024 10:49:14 GMT
    Content-Type: text/html
    Content-Length: 153
    Connection: keep-alive
  • flag-us
    DNS
    127.33.75.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    127.33.75.51.in-addr.arpa
    IN PTR
    Response
    127.33.75.51.in-addr.arpa
    IN PTR
    abc wielopoleeu
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 192.81.38.31:80
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    260 B
    5
  • 51.75.33.127:80
    http://51.75.33.127/tW61NfZwQBf/YvYIlxvMQKlb9fG6/tQVYD/s5Jmxxfs/
    http
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    5.6kB
    560 B
    10
    6

    HTTP Request

    POST http://51.75.33.127/tW61NfZwQBf/YvYIlxvMQKlb9fG6/tQVYD/s5Jmxxfs/

    HTTP Response

    404
  • 37.157.196.117:7080
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    260 B
    5
  • 116.202.23.3:8080
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    260 B
    200 B
    5
    5
  • 54.37.42.48:8080
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    260 B
    5
  • 2.36.95.106:80
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    260 B
    5
  • 186.103.141.250:443
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    260 B
    5
  • 192.241.146.84:8080
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    260 B
    200 B
    5
    5
  • 94.176.234.118:443
    fe5d92e62c84d8e048b224aa42756436_JaffaCakes118.exe
    208 B
    160 B
    4
    4
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    127.33.75.51.in-addr.arpa
    dns
    71 B
    101 B
    1
    1

    DNS Request

    127.33.75.51.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2848-4-0x00000000021B0000-0x00000000021C0000-memory.dmp

    Filesize

    64KB

  • memory/2848-7-0x0000000002180000-0x000000000218F000-memory.dmp

    Filesize

    60KB

  • memory/2848-0-0x0000000002190000-0x00000000021A2000-memory.dmp

    Filesize

    72KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.