emotet | e5739c955aee483a02dbe225b39e7e6efcc488448dca1008d20961954d6ca54d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe
Size

667KB
MD5

0466430f1c1b2f8e79de56de6f8c3951
SHA1

754cb7a6699cf7d7bdc90f8b2c05294cb88a493a
SHA256

e5739c955aee483a02dbe225b39e7e6efcc488448dca1008d20961954d6ca54d
SHA512

31ebe5b1f1128c3114f94b92f6902f8aa90710e4e318ee2da8165e4519ad301f8805009d1f8aef7ec4ab1ce425e6ab8749cfb683b2841a2419ce533747593f56
SSDEEP

12288:76JJG//tnC5VCFSoDpaQlHfl6mCiWDaBMNCsbnG:76J6/tniVNoDgQVN6mCip9sbG

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

202.22.141.45:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

82.76.111.249:443

216.47.196.104:80

192.241.143.52:8080

192.81.38.31:80

87.106.253.248:8080

64.201.88.132:80

192.241.146.84:8080

12.162.84.2:8080

1.226.84.243:8080

177.129.17.170:443

202.134.4.210:7080

70.169.17.134:80

152.169.22.67:80

5.196.35.138:7080

138.97.60.141:7080

203.205.28.68:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/4764-5-0x0000000000550000-0x0000000000560000-memory.dmp	emotet
behavioral2/memory/4764-0-0x0000000000530000-0x0000000000542000-memory.dmp	emotet
behavioral2/memory/4764-7-0x0000000000500000-0x000000000050F000-memory.dmp	emotet
behavioral2/memory/3436-10-0x0000000000640000-0x0000000000652000-memory.dmp	emotet
behavioral2/memory/3436-14-0x0000000000660000-0x0000000000670000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

CHxReadingStringIME.exe

pid process

3436 CHxReadingStringIME.exe

Drops file in System32 directory 1 IoCs

Processes:

0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dpnhpast\CHxReadingStringIME.exe	0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

CHxReadingStringIME.exe

pid	process
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe
3436	CHxReadingStringIME.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe

pid process

4764 0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe

pid	process
4764	0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe

description	pid	process	target process
PID 4764 wrote to memory of 3436	4764	0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe	CHxReadingStringIME.exe
PID 4764 wrote to memory of 3436	4764	0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe	CHxReadingStringIME.exe
PID 4764 wrote to memory of 3436	4764	0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe	CHxReadingStringIME.exe

C:\Users\Admin\AppData\Local\Temp\0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0466430f1c1b2f8e79de56de6f8c3951_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\dpnhpast\CHxReadingStringIME.exe
"C:\Windows\SysWOW64\dpnhpast\CHxReadingStringIME.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dpnhpast\CHxReadingStringIME.exe
Filesize
667KB

MD5
0466430f1c1b2f8e79de56de6f8c3951

SHA1
754cb7a6699cf7d7bdc90f8b2c05294cb88a493a

SHA256
e5739c955aee483a02dbe225b39e7e6efcc488448dca1008d20961954d6ca54d

SHA512
31ebe5b1f1128c3114f94b92f6902f8aa90710e4e318ee2da8165e4519ad301f8805009d1f8aef7ec4ab1ce425e6ab8749cfb683b2841a2419ce533747593f56

Download Submit
memory/3436-10-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/3436-14-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/4764-5-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/4764-0-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/4764-7-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4764-9-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download