Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 00:13
Static task
static1
Behavioral task
behavioral1
Sample
ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe
-
Size
667KB
-
MD5
ac2d8bf0afb53387ef25eb90b3d6202d
-
SHA1
4b9c205090f244fc241f1f77154419a3bdb4becc
-
SHA256
26e21e5dc579af308109923c95196b986811cd1cc6737903fb7f955f6108b90c
-
SHA512
b166a6e2fa43ac879e7ce883ea457c5055d707befd18d0cecb520d2d86f454816ef617df7f9f0288b936d5d4bf6ac5bb7f0e68222ce4a8a7da0da9f87cd3d625
-
SSDEEP
12288:6+JJG//twCZ1CFy6jpcFnRO6QuiCDuBMoC+azA:6+J6/twC1N6jiVk6Quix4m
Malware Config
Extracted
emotet
Epoch2
104.193.103.61:80
104.131.123.136:443
5.196.108.189:8080
121.124.124.40:7080
87.106.139.101:8080
213.196.135.145:80
50.35.17.13:80
38.18.235.242:80
24.43.32.186:80
82.80.155.43:80
103.86.49.11:8080
113.61.66.94:80
24.137.76.62:80
187.49.206.134:80
42.200.107.142:80
24.179.13.119:80
93.147.212.206:80
108.46.29.236:80
105.186.233.33:80
37.139.21.175:8080
61.19.246.238:443
97.82.79.83:80
78.188.106.53:443
168.235.67.138:7080
83.169.36.251:8080
89.216.122.92:80
176.111.60.55:8080
181.169.34.190:80
118.83.154.64:443
140.186.212.146:80
139.59.60.244:8080
174.106.122.139:80
194.187.133.160:443
62.30.7.67:443
68.252.26.78:80
75.139.38.211:80
130.0.132.242:80
172.104.97.173:8080
85.152.162.105:80
74.208.45.104:8080
71.15.245.148:8080
139.162.60.124:8080
62.75.141.82:80
203.153.216.189:7080
91.211.88.52:7080
96.249.236.156:443
95.213.236.64:8080
66.65.136.14:80
104.131.44.150:8080
91.146.156.228:80
79.98.24.39:8080
174.45.13.118:80
157.245.99.39:8080
80.241.255.202:8080
71.72.196.159:80
120.150.60.189:80
220.245.198.194:80
121.7.31.214:80
85.96.199.93:80
67.10.155.92:80
109.74.5.95:8080
188.219.31.12:80
162.241.242.173:8080
110.145.77.103:80
78.24.219.147:8080
47.144.21.12:443
139.99.158.11:443
110.142.236.207:80
94.23.237.171:443
50.91.114.38:80
76.175.162.101:80
46.105.131.79:8080
181.169.235.7:80
87.106.136.232:8080
5.39.91.110:7080
24.43.99.75:80
104.131.11.150:443
139.162.108.71:8080
209.141.54.221:8080
124.41.215.226:80
123.176.25.234:80
137.59.187.107:8080
216.139.123.119:80
94.200.114.161:80
79.137.83.50:443
5.196.74.210:8080
104.236.246.93:8080
137.119.36.33:80
37.187.72.193:8080
172.91.208.86:80
142.112.10.95:20
134.209.36.254:8080
190.240.194.77:443
1.221.254.82:80
185.94.252.104:443
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2648-4-0x0000000000760000-0x0000000000770000-memory.dmp emotet behavioral2/memory/2648-0-0x0000000000630000-0x0000000000642000-memory.dmp emotet behavioral2/memory/2648-7-0x0000000000610000-0x000000000061F000-memory.dmp emotet behavioral2/memory/5064-10-0x0000000002020000-0x0000000002032000-memory.dmp emotet behavioral2/memory/5064-14-0x0000000002490000-0x00000000024A0000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
control.exepid process 5064 control.exe -
Drops file in System32 directory 1 IoCs
Processes:
ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\frprov\control.exe ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
control.exepid process 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe 5064 control.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exepid process 2648 ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exedescription pid process target process PID 2648 wrote to memory of 5064 2648 ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe control.exe PID 2648 wrote to memory of 5064 2648 ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe control.exe PID 2648 wrote to memory of 5064 2648 ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe control.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac2d8bf0afb53387ef25eb90b3d6202d_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\frprov\control.exe"C:\Windows\SysWOW64\frprov\control.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\frprov\control.exeFilesize
667KB
MD5ac2d8bf0afb53387ef25eb90b3d6202d
SHA14b9c205090f244fc241f1f77154419a3bdb4becc
SHA25626e21e5dc579af308109923c95196b986811cd1cc6737903fb7f955f6108b90c
SHA512b166a6e2fa43ac879e7ce883ea457c5055d707befd18d0cecb520d2d86f454816ef617df7f9f0288b936d5d4bf6ac5bb7f0e68222ce4a8a7da0da9f87cd3d625
-
memory/2648-4-0x0000000000760000-0x0000000000770000-memory.dmpFilesize
64KB
-
memory/2648-0-0x0000000000630000-0x0000000000642000-memory.dmpFilesize
72KB
-
memory/2648-7-0x0000000000610000-0x000000000061F000-memory.dmpFilesize
60KB
-
memory/2648-9-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/5064-10-0x0000000002020000-0x0000000002032000-memory.dmpFilesize
72KB
-
memory/5064-14-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB