Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 22:11
Behavioral task
behavioral1
Sample
1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe
-
Size
474KB
-
MD5
1caf518700f8a969fe59ea7c35d13995
-
SHA1
7f6133ad68ba50920d5d353d346ec7ee7393b883
-
SHA256
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf
-
SHA512
f6e3e6c93a3afe7b8ce2b8b84e71c61527795728c8ab7121bc875d1731b9b4f97f56defcdba6109fcbc7d353dc4a555f87a42a75944242e79941144614e84bf5
-
SSDEEP
6144:ieFrEMus74tW3HvPgADDnz/HXnr/vYitorLFDPMTJYhr64Fg0:ntEMus70imrLFPMdV4Fg0
Malware Config
Extracted
emotet
Epoch3
110.36.234.146:80
197.211.244.6:443
125.99.61.162:7080
115.88.70.226:7080
162.241.232.82:8080
194.50.163.106:8080
162.214.27.219:7080
203.150.19.63:443
179.62.18.56:443
93.78.205.196:443
176.58.93.123:80
138.197.140.163:8080
181.113.229.139:990
201.244.125.210:995
186.10.16.244:53
83.169.33.157:8080
45.33.1.161:8080
186.117.174.26:80
186.93.167.147:443
148.240.52.172:80
186.29.155.101:50000
190.92.103.7:80
113.52.135.33:7080
70.45.30.28:80
5.189.148.98:8080
181.55.171.237:8080
143.95.101.72:8080
190.55.86.138:8443
181.165.150.211:143
190.96.118.15:443
190.117.206.153:443
41.60.202.26:22
216.70.88.55:8080
139.59.242.76:8080
190.13.146.47:443
178.249.187.150:7080
190.55.39.215:80
200.114.134.8:20
78.109.34.178:443
46.32.229.152:8080
216.154.222.52:7080
181.230.126.152:8090
152.170.220.95:80
51.38.134.203:8080
94.177.253.126:80
108.179.216.46:8080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
miscmove.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 miscmove.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE miscmove.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies miscmove.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 miscmove.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
miscmove.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix miscmove.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" miscmove.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" miscmove.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
miscmove.exepid process 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe 4688 miscmove.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exepid process 3288 1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 4044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4044 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exemiscmove.exedescription pid process target process PID 2540 wrote to memory of 3288 2540 1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe 1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe PID 2540 wrote to memory of 3288 2540 1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe 1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe PID 2540 wrote to memory of 3288 2540 1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe 1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe PID 2564 wrote to memory of 4688 2564 miscmove.exe miscmove.exe PID 2564 wrote to memory of 4688 2564 miscmove.exe miscmove.exe PID 2564 wrote to memory of 4688 2564 miscmove.exe miscmove.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1caf518700f8a969fe59ea7c35d13995_JaffaCakes118.exe--c82fe7e72⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3cc 0x2d81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=1412 /prefetch:81⤵
-
C:\Windows\SysWOW64\miscmove.exe"C:\Windows\SysWOW64\miscmove.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\miscmove.exe--ac26baaf2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2540-0-0x00007FFACAA10000-0x00007FFACAC05000-memory.dmpFilesize
2.0MB
-
memory/2540-1-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2540-11-0x00007FFACAA10000-0x00007FFACAC05000-memory.dmpFilesize
2.0MB
-
memory/2564-5-0x00007FFACAA10000-0x00007FFACAC05000-memory.dmpFilesize
2.0MB
-
memory/3288-3-0x00007FFACAA10000-0x00007FFACAC05000-memory.dmpFilesize
2.0MB
-
memory/3288-8-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4688-10-0x00007FFACAA10000-0x00007FFACAC05000-memory.dmpFilesize
2.0MB
-
memory/4688-14-0x00007FFACAA10000-0x00007FFACAC05000-memory.dmpFilesize
2.0MB