Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 00:24
Static task
static1
Behavioral task
behavioral1
Sample
b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe
-
Size
634KB
-
MD5
b5f17493b380b5e61d4a96568e2825b0
-
SHA1
751ab8e7f7ce475eda171fac649b3f4278a862c9
-
SHA256
236953d7dd0d80ccf6fad7d05badadb3791a48679a93c6cf5718bc8f4e0ecd6f
-
SHA512
76c18518150a8af8846abfb1c970045ac54ff0f9d3f6ec1bd2adcb7e0abdc9ad2ba2f9f635720137c6c93a4b953db58862df6419028fd49783ccfc7c33c8416b
-
SSDEEP
6144:F9H+NDxL6GMGj8kl7muvrxwpntVsOGx4QKZXPk1jXPUVvfY0MAH1by7iNAJGu:FJ+Nd6Gmujx3uXPk1Dsm0bV6+AJG
Malware Config
Extracted
emotet
Epoch2
67.68.210.95:80
162.241.242.173:8080
45.55.36.51:443
45.55.219.163:443
68.188.112.97:80
46.105.131.79:8080
78.24.219.147:8080
37.70.8.161:80
153.232.188.106:80
209.141.54.221:8080
203.117.253.142:80
152.168.248.128:443
93.147.212.206:80
24.137.76.62:80
189.212.199.126:443
204.197.146.48:80
137.119.36.33:80
185.94.252.104:443
139.130.242.43:80
203.153.216.189:7080
200.114.213.233:8080
41.60.200.34:80
107.5.122.110:80
139.162.108.71:8080
137.59.187.107:8080
181.230.116.163:80
24.43.99.75:80
83.169.36.251:8080
95.179.229.244:8080
85.152.162.105:80
37.139.21.175:8080
98.109.204.230:80
139.59.60.244:8080
75.139.38.211:80
61.19.246.238:443
79.98.24.39:8080
69.30.203.214:8080
68.171.118.7:80
50.81.3.113:80
89.205.113.80:80
87.106.136.232:8080
74.109.108.202:80
95.213.236.64:8080
24.179.13.119:80
121.124.124.40:7080
70.121.172.89:80
74.120.55.163:80
104.131.44.150:8080
74.208.45.104:8080
1.221.254.82:80
187.161.206.24:80
188.219.31.12:80
180.92.239.110:8080
47.146.117.214:80
103.86.49.11:8080
190.55.181.54:443
104.236.246.93:8080
97.82.79.83:80
91.211.88.52:7080
84.39.182.7:80
110.145.77.103:80
94.23.237.171:443
85.105.205.77:8080
87.106.139.101:8080
200.41.121.90:80
157.245.99.39:8080
169.239.182.217:8080
67.205.85.243:8080
176.111.60.55:8080
174.45.13.118:80
167.86.90.214:8080
174.102.48.180:443
112.185.64.233:80
173.81.218.65:80
139.99.158.11:443
113.160.130.116:8443
201.173.217.124:443
62.75.141.82:80
174.137.65.18:80
172.91.208.86:80
5.196.74.210:8080
85.66.181.138:80
47.144.21.12:443
194.187.133.160:443
168.235.67.138:7080
104.131.11.150:443
190.160.53.126:80
37.187.72.193:8080
109.74.5.95:8080
120.150.60.189:80
94.200.114.161:80
216.208.76.186:80
173.62.217.22:443
62.30.7.67:443
5.39.91.110:7080
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
kbdnec.exepid process 1732 kbdnec.exe -
Drops file in System32 directory 1 IoCs
Processes:
b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wiadefui\kbdnec.exe b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
kbdnec.exepid process 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe 1732 kbdnec.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exepid process 972 b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exekbdnec.exepid process 972 b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe 972 b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe 1732 kbdnec.exe 1732 kbdnec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exedescription pid process target process PID 972 wrote to memory of 1732 972 b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe kbdnec.exe PID 972 wrote to memory of 1732 972 b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe kbdnec.exe PID 972 wrote to memory of 1732 972 b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe kbdnec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b5f17493b380b5e61d4a96568e2825b0_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wiadefui\kbdnec.exe"C:\Windows\SysWOW64\wiadefui\kbdnec.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wiadefui\kbdnec.exeFilesize
634KB
MD5b5f17493b380b5e61d4a96568e2825b0
SHA1751ab8e7f7ce475eda171fac649b3f4278a862c9
SHA256236953d7dd0d80ccf6fad7d05badadb3791a48679a93c6cf5718bc8f4e0ecd6f
SHA51276c18518150a8af8846abfb1c970045ac54ff0f9d3f6ec1bd2adcb7e0abdc9ad2ba2f9f635720137c6c93a4b953db58862df6419028fd49783ccfc7c33c8416b
-
memory/972-0-0x0000000002450000-0x000000000245C000-memory.dmpFilesize
48KB
-
memory/972-5-0x0000000002440000-0x0000000002449000-memory.dmpFilesize
36KB
-
memory/972-4-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/972-7-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1732-8-0x0000000002200000-0x000000000220C000-memory.dmpFilesize
48KB
-
memory/1732-12-0x0000000002200000-0x000000000220C000-memory.dmpFilesize
48KB