emotet | 840da21273894b4b54d87929cb3212f721b92ba8873926d63e89efcf60fbb9ee

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11e1c95169d816758338917f92b7464d_JaffaCakes118.exe
Size

264KB
MD5

11e1c95169d816758338917f92b7464d
SHA1

26f1b14a177efe540a7168c471b05b4f03f3ae2d
SHA256

840da21273894b4b54d87929cb3212f721b92ba8873926d63e89efcf60fbb9ee
SHA512

86ba1ad2d6b64dc443b96dd2b83bf7d8a3f58a022c13386bf8fadb093aa49a5c39e090f3b1701c5fdd15709f26c060dd5e1d87bbdabb2dc4fb1990e18df22542
SSDEEP

6144:z2Rkl3sTsZzaJsxZqBU9PTyXpuXc5SkY2Bkp3:z2Kl8TsZ2sqWhy149xp

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

74.219.172.26:80

134.209.36.254:8080

104.156.59.7:8080

120.138.30.150:8080

194.187.133.160:443

104.236.246.93:8080

74.208.45.104:8080

78.187.156.31:80

187.161.206.24:80

94.23.216.33:80

172.91.208.86:80

91.211.88.52:7080

50.91.114.38:80

200.123.150.89:443

121.124.124.40:7080

62.75.141.82:80

5.196.74.210:8080

24.137.76.62:80

85.105.205.77:8080

139.130.242.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 4 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/1888-0-0x0000000002E90000-0x0000000002EA2000-memory.dmp	emotet
behavioral2/memory/1888-4-0x0000000000400000-0x0000000000410000-memory.dmp	emotet
behavioral2/memory/1888-7-0x0000000001380000-0x000000000138F000-memory.dmp	emotet
behavioral2/memory/436-10-0x00000000013C0000-0x00000000013D2000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

wmiclnt.exe

pid process

436 wmiclnt.exe

Drops file in System32 directory 1 IoCs

Processes:

11e1c95169d816758338917f92b7464d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exe	11e1c95169d816758338917f92b7464d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

wmiclnt.exe

pid	process
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe
436	wmiclnt.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

11e1c95169d816758338917f92b7464d_JaffaCakes118.exe

pid process

1888 11e1c95169d816758338917f92b7464d_JaffaCakes118.exe

pid	process
1888	11e1c95169d816758338917f92b7464d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

11e1c95169d816758338917f92b7464d_JaffaCakes118.exe

description	pid	process	target process
PID 1888 wrote to memory of 436	1888	11e1c95169d816758338917f92b7464d_JaffaCakes118.exe	wmiclnt.exe
PID 1888 wrote to memory of 436	1888	11e1c95169d816758338917f92b7464d_JaffaCakes118.exe	wmiclnt.exe
PID 1888 wrote to memory of 436	1888	11e1c95169d816758338917f92b7464d_JaffaCakes118.exe	wmiclnt.exe

C:\Users\Admin\AppData\Local\Temp\11e1c95169d816758338917f92b7464d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11e1c95169d816758338917f92b7464d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exe
"C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady\wmiclnt.exe
Filesize
264KB

MD5
11e1c95169d816758338917f92b7464d

SHA1
26f1b14a177efe540a7168c471b05b4f03f3ae2d

SHA256
840da21273894b4b54d87929cb3212f721b92ba8873926d63e89efcf60fbb9ee

SHA512
86ba1ad2d6b64dc443b96dd2b83bf7d8a3f58a022c13386bf8fadb093aa49a5c39e090f3b1701c5fdd15709f26c060dd5e1d87bbdabb2dc4fb1990e18df22542

Download Submit
memory/436-10-0x00000000013C0000-0x00000000013D2000-memory.dmp

Filesize
72KB

Download
memory/1888-0-0x0000000002E90000-0x0000000002EA2000-memory.dmp

Filesize
72KB

Download
memory/1888-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1888-7-0x0000000001380000-0x000000000138F000-memory.dmp

Filesize
60KB

Download
memory/1888-9-0x0000000000AA0000-0x0000000000AE6000-memory.dmp

Filesize
280KB

Download