emotet | 3fa959ac8f2e0b9322cd71c7631c6ef810a50d208d0e8128f4b71a743b7850ca

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe
Size

667KB
MD5

01335a7251e3f4149ad15111a4fcaf1a
SHA1

a161dbee6f350e841b2b98ce5a7187d0e108a967
SHA256

3fa959ac8f2e0b9322cd71c7631c6ef810a50d208d0e8128f4b71a743b7850ca
SHA512

34e3894ff2cfcc71b639463bdfb80294e41c7f2eeb6b95afef8c131a8746bcba3d122cf11f3b6a17c639201731386354007ee3cbd7207b5010b051ab0055cf4b
SSDEEP

12288:76JJG//tnC5VCFSoDpaQlHfl6mCiWDaBMNCCbnG:76J6/tniVNoDgQVN6mCip9CbG

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

202.22.141.45:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

82.76.111.249:443

216.47.196.104:80

192.241.143.52:8080

192.81.38.31:80

87.106.253.248:8080

64.201.88.132:80

192.241.146.84:8080

12.162.84.2:8080

1.226.84.243:8080

177.129.17.170:443

202.134.4.210:7080

70.169.17.134:80

152.169.22.67:80

5.196.35.138:7080

138.97.60.141:7080

203.205.28.68:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral2/memory/2848-4-0x0000000002100000-0x0000000002110000-memory.dmp	emotet
behavioral2/memory/2848-0-0x00000000020E0000-0x00000000020F2000-memory.dmp	emotet
behavioral2/memory/2848-7-0x00000000020C0000-0x00000000020CF000-memory.dmp	emotet
behavioral2/memory/1716-10-0x0000000000680000-0x0000000000692000-memory.dmp	emotet
behavioral2/memory/1716-14-0x00000000006A0000-0x00000000006B0000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

pid	Process
1716	WMASF.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windows.Management.Workplace\WMASF.exe	01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe
1716	WMASF.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2848	01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1716	2848	01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe	80
PID 2848 wrote to memory of 1716	2848	01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe	80
PID 2848 wrote to memory of 1716	2848	01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe	80

C:\Users\Admin\AppData\Local\Temp\01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01335a7251e3f4149ad15111a4fcaf1a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Windows.Management.Workplace\WMASF.exe
  "C:\Windows\SysWOW64\Windows.Management.Workplace\WMASF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windows.Management.Workplace\WMASF.exe

Filesize
667KB

MD5
01335a7251e3f4149ad15111a4fcaf1a

SHA1
a161dbee6f350e841b2b98ce5a7187d0e108a967

SHA256
3fa959ac8f2e0b9322cd71c7631c6ef810a50d208d0e8128f4b71a743b7850ca

SHA512
34e3894ff2cfcc71b639463bdfb80294e41c7f2eeb6b95afef8c131a8746bcba3d122cf11f3b6a17c639201731386354007ee3cbd7207b5010b051ab0055cf4b

Download Submit
memory/1716-10-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1716-14-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/2848-4-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/2848-0-0x00000000020E0000-0x00000000020F2000-memory.dmp

Filesize
72KB

Download
memory/2848-7-0x00000000020C0000-0x00000000020CF000-memory.dmp

Filesize
60KB

Download
memory/2848-9-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download