emotet | 412d5f1887c34fe7ee92a3fa9328c6003edfd345ad9020f1aed42a4a81341e37

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 08:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe
Size

448KB
MD5

11f20e9364ef5099187b3445629888d3
SHA1

6ba5298ae64dccbd30a17c915428038ab67f1988
SHA256

412d5f1887c34fe7ee92a3fa9328c6003edfd345ad9020f1aed42a4a81341e37
SHA512

6cbddbfad98904d5681ce509ccc1559a5977d43b90c96d2d617d46b6864a94cbd91303df83acd5073944dd3042377fe55325da9e3955d982697c8b02a81436d1
SSDEEP

3072:zt17ybOENdXAMKz+3LxbGp9uRFCv1VvQia23Q80nOgNo:2bOEnXATzoNTrCvnQ+QZOgm

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3348	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe
3348	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe
2564	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe
2564	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe
4308	usbccidext.exe
4308	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe
5016	usbccidext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2564	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 2564	3348	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe	82
PID 3348 wrote to memory of 2564	3348	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe	82
PID 3348 wrote to memory of 2564	3348	11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe	82
PID 4308 wrote to memory of 5016	4308	usbccidext.exe	94
PID 4308 wrote to memory of 5016	4308	usbccidext.exe	94
PID 4308 wrote to memory of 5016	4308	usbccidext.exe	94

C:\Users\Admin\AppData\Local\Temp\11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\Temp\11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\11f20e9364ef5099187b3445629888d3_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:2564

C:\Windows\SysWOW64\usbccidext.exe
"C:\Windows\SysWOW64\usbccidext.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\usbccidext.exe
  "C:\Windows\SysWOW64\usbccidext.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-28-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2564-11-0x0000000000720000-0x0000000000739000-memory.dmp

Filesize
100KB

Download
memory/2564-7-0x0000000000720000-0x0000000000739000-memory.dmp

Filesize
100KB

Download
memory/2564-12-0x0000000000700000-0x0000000000719000-memory.dmp

Filesize
100KB

Download
memory/2564-13-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/2564-29-0x0000000000700000-0x0000000000719000-memory.dmp

Filesize
100KB

Download
memory/3348-6-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/3348-5-0x00000000021F0000-0x0000000002209000-memory.dmp

Filesize
100KB

Download
memory/3348-0-0x0000000002210000-0x0000000002229000-memory.dmp

Filesize
100KB

Download
memory/3348-4-0x0000000002210000-0x0000000002229000-memory.dmp

Filesize
100KB

Download
memory/4308-18-0x0000000000D90000-0x0000000000DA9000-memory.dmp

Filesize
100KB

Download
memory/4308-20-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/4308-19-0x0000000000D70000-0x0000000000D89000-memory.dmp

Filesize
100KB

Download
memory/4308-14-0x0000000000D90000-0x0000000000DA9000-memory.dmp

Filesize
100KB

Download
memory/5016-21-0x0000000000ED0000-0x0000000000EE9000-memory.dmp

Filesize
100KB

Download
memory/5016-26-0x0000000000640000-0x0000000000659000-memory.dmp

Filesize
100KB

Download
memory/5016-27-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/5016-25-0x0000000000ED0000-0x0000000000EE9000-memory.dmp

Filesize
100KB

Download
memory/5016-30-0x0000000000640000-0x0000000000659000-memory.dmp

Filesize
100KB

Download