Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 02:38
Static task
static1
Behavioral task
behavioral1
Sample
b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
-
Size
603KB
-
MD5
b667d95eb7bb68cb705d4e03ec3c82e0
-
SHA1
c8f50e51260dd21469da203fe630171695c0cd47
-
SHA256
d67ffbff735113dee6060136bbe9d0f6d44a3026a2f4b57285ffeed2ce39cf61
-
SHA512
e14bb85150bd66f43e64c309b9019a4d9536709b8c3f190fcd39609d061230315d07a02af3c6cb0e5c933af4d179dd97f3fbb196cf95897e1db8440cf00c73c3
-
SSDEEP
12288:BkfdhQmseiH0lXPftSfWOOOR9tQdj363A+S:BEqcftSLVQdj363A+S
Malware Config
Extracted
emotet
Epoch2
2.38.99.79:80
98.24.231.64:80
47.156.70.145:80
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
206.189.112.148:8080
120.150.246.241:80
190.56.255.118:80
200.71.148.138:8080
192.241.255.77:8080
211.63.71.72:8080
190.53.135.159:21
183.102.238.69:465
108.191.2.72:80
107.170.24.125:8080
167.114.242.226:8080
91.73.197.90:80
178.209.71.63:8080
217.160.182.191:8080
45.51.40.140:80
189.209.217.49:80
128.65.154.183:443
91.205.215.66:8080
95.128.43.213:8080
190.12.119.180:443
62.75.187.192:8080
12.176.19.218:80
178.210.51.222:8080
87.230.19.21:8080
110.143.57.109:80
61.197.110.214:80
67.225.179.64:8080
74.105.102.97:8080
190.226.44.20:21
93.147.141.5:80
5.196.74.210:8080
212.64.171.206:80
173.13.135.102:80
190.147.215.53:22
201.184.105.242:443
78.24.219.147:8080
201.173.217.124:443
92.186.52.193:80
12.229.155.122:80
165.228.24.197:80
31.31.77.83:443
58.171.42.66:8080
181.31.213.158:8080
101.187.247.29:80
86.98.156.239:443
87.106.139.101:8080
181.57.193.14:80
116.48.142.21:443
164.68.101.171:80
176.31.200.130:8080
209.97.168.52:8080
46.105.131.87:80
24.45.193.161:7080
190.211.207.11:443
210.6.85.121:80
139.130.241.252:443
59.103.164.174:80
176.106.183.253:8080
66.76.63.99:80
92.222.216.44:8080
159.65.25.128:8080
206.81.10.215:8080
31.172.240.91:8080
212.186.191.177:80
195.244.215.206:80
209.141.54.221:8080
104.131.44.150:8080
37.157.194.134:443
107.2.2.28:80
50.116.86.205:8080
45.33.49.124:443
91.242.138.5:80
91.231.166.126:8080
100.14.117.137:80
188.152.7.140:80
80.11.163.139:21
144.139.247.220:80
182.176.132.213:8090
212.129.24.79:8080
110.142.38.16:80
167.71.10.37:8080
87.106.136.232:8080
1.33.230.137:80
104.131.11.150:8080
101.187.134.207:443
185.159.102.74:80
70.175.171.251:80
167.99.105.223:7080
104.236.246.93:8080
197.254.221.174:80
73.11.153.178:8080
149.202.153.252:8080
169.239.182.217:8080
5.88.182.250:80
165.227.156.155:443
173.70.81.77:80
91.187.80.246:80
186.75.241.230:80
200.7.243.108:443
83.136.245.190:8080
181.143.194.138:443
80.21.182.46:80
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
appidattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 appidattrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE appidattrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies appidattrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 appidattrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
appidattrib.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix appidattrib.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" appidattrib.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" appidattrib.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
appidattrib.exepid process 2444 appidattrib.exe 2444 appidattrib.exe 2444 appidattrib.exe 2444 appidattrib.exe 2444 appidattrib.exe 2444 appidattrib.exe 2444 appidattrib.exe 2444 appidattrib.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exepid process 4816 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exeb667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exeappidattrib.exeappidattrib.exepid process 1744 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe 1744 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe 4816 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe 4816 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe 4580 appidattrib.exe 4580 appidattrib.exe 2444 appidattrib.exe 2444 appidattrib.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exeappidattrib.exedescription pid process target process PID 1744 wrote to memory of 4816 1744 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe PID 1744 wrote to memory of 4816 1744 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe PID 1744 wrote to memory of 4816 1744 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe PID 4580 wrote to memory of 2444 4580 appidattrib.exe appidattrib.exe PID 4580 wrote to memory of 2444 4580 appidattrib.exe appidattrib.exe PID 4580 wrote to memory of 2444 4580 appidattrib.exe appidattrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe--72ab39cb2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\appidattrib.exe"C:\Windows\SysWOW64\appidattrib.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\appidattrib.exe--861d9fdc2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1744-0-0x00000000021D0000-0x00000000021E7000-memory.dmpFilesize
92KB
-
memory/1744-5-0x0000000002110000-0x0000000002121000-memory.dmpFilesize
68KB
-
memory/2444-19-0x0000000000E70000-0x0000000000E87000-memory.dmpFilesize
92KB
-
memory/4580-13-0x0000000000D00000-0x0000000000D17000-memory.dmpFilesize
92KB
-
memory/4816-6-0x00000000021A0000-0x00000000021B7000-memory.dmpFilesize
92KB
-
memory/4816-11-0x0000000000400000-0x000000000049D000-memory.dmpFilesize
628KB
-
memory/4816-18-0x0000000000400000-0x000000000049D000-memory.dmpFilesize
628KB