emotet | 1c305ba670ec64f176fcb46743a796a8b5f1577dae118ef68740d410d8a14153

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034dec33fb61291515f2201b6412e776_JaffaCakes118.exe
Size

145KB
MD5

034dec33fb61291515f2201b6412e776
SHA1

e0fc81e65bf937a8761f0b53978139836bc5d44c
SHA256

1c305ba670ec64f176fcb46743a796a8b5f1577dae118ef68740d410d8a14153
SHA512

92e853c633ef23c625a11c03be43cc5dcd8f14438f2d6ca08511d87ac2e6c8c4bc507f467a468b34e2178d16deb80f6661a30080f255295533d4b1c8303b1e1b
SSDEEP

3072:kyYIilXVCZV4xqbqP1AjTPsjuHY1sUycOo9EdAPioPZrnghGLOrigrcGN2:7zoMVuqePSHsMKOo9EdAPXPZLGGarmG

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

91.105.94.200:80

51.38.124.206:80

38.88.126.202:8080

54.37.42.48:8080

189.2.177.210:443

181.30.61.163:443

185.178.10.77:80

199.203.62.165:80

177.73.0.98:443

87.106.46.107:8080

5.196.35.138:7080

5.189.178.202:8080

185.183.16.47:80

78.249.119.122:80

191.182.6.118:80

96.227.52.8:443

186.103.141.250:443

50.28.51.143:8080

111.67.12.221:8080

50.121.220.50:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/2544-0-0x0000000000710000-0x0000000000722000-memory.dmp	emotet
behavioral2/memory/2544-4-0x0000000000730000-0x0000000000740000-memory.dmp	emotet
behavioral2/memory/2544-7-0x00000000005D0000-0x00000000005DF000-memory.dmp	emotet
behavioral2/memory/4140-14-0x00000000005C0000-0x00000000005D0000-memory.dmp	emotet
behavioral2/memory/4140-10-0x00000000005A0000-0x00000000005B2000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

mfc120kor.exe

pid process

4140 mfc120kor.exe
Drops file in System32 directory 1 IoCs

Processes:

034dec33fb61291515f2201b6412e776_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\rundll32\mfc120kor.exe 034dec33fb61291515f2201b6412e776_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rundll32\mfc120kor.exe	034dec33fb61291515f2201b6412e776_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

mfc120kor.exe

pid	process
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe
4140	mfc120kor.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

034dec33fb61291515f2201b6412e776_JaffaCakes118.exe

pid process

2544 034dec33fb61291515f2201b6412e776_JaffaCakes118.exe

pid	process
2544	034dec33fb61291515f2201b6412e776_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

034dec33fb61291515f2201b6412e776_JaffaCakes118.exe

description	pid	process	target process
PID 2544 wrote to memory of 4140	2544	034dec33fb61291515f2201b6412e776_JaffaCakes118.exe	mfc120kor.exe
PID 2544 wrote to memory of 4140	2544	034dec33fb61291515f2201b6412e776_JaffaCakes118.exe	mfc120kor.exe
PID 2544 wrote to memory of 4140	2544	034dec33fb61291515f2201b6412e776_JaffaCakes118.exe	mfc120kor.exe

C:\Users\Admin\AppData\Local\Temp\034dec33fb61291515f2201b6412e776_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\034dec33fb61291515f2201b6412e776_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\rundll32\mfc120kor.exe
"C:\Windows\SysWOW64\rundll32\mfc120kor.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32\mfc120kor.exe
Filesize
145KB

MD5
034dec33fb61291515f2201b6412e776

SHA1
e0fc81e65bf937a8761f0b53978139836bc5d44c

SHA256
1c305ba670ec64f176fcb46743a796a8b5f1577dae118ef68740d410d8a14153

SHA512
92e853c633ef23c625a11c03be43cc5dcd8f14438f2d6ca08511d87ac2e6c8c4bc507f467a468b34e2178d16deb80f6661a30080f255295533d4b1c8303b1e1b

Download Submit
memory/2544-0-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2544-4-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/2544-7-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download
memory/2544-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-14-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/4140-10-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download