emotet | ed4d45ea81b11ef749f9e62fe95543cfc859b746c87e529824b5f8c17476f6a3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
Size

168KB
MD5

129a61c8b23263cfdf72f551ca5c7229
SHA1

75180c01d4eb822052954b2a1d51746f8d89c93e
SHA256

ed4d45ea81b11ef749f9e62fe95543cfc859b746c87e529824b5f8c17476f6a3
SHA512

8aaafac68507e5dd4c3df143359c8d4fa3432b0252b07d098e3b6d67dceb010b878c781b41e2e4ac754a56e9dc11dcfcbe9fe898cb7de91f2c02dc168d217bed
SSDEEP

1536:r3yCxVaZPMWxILZRH8jdrGIp/HGmMUch7a/bD:7HxVaZ04CRHmhV/mmkdEbD

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

107.5.122.110:80

199.101.86.6:443

45.55.219.163:443

62.30.7.67:443

185.94.252.104:443

203.117.253.142:80

93.51.50.171:8080

139.130.242.43:80

181.230.116.163:80

37.187.72.193:8080

194.187.133.160:443

167.86.90.214:8080

61.19.246.238:443

98.109.204.230:80

180.92.239.110:8080

121.124.124.40:7080

47.146.117.214:80

110.145.77.103:80

97.82.79.83:80

70.121.172.89:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Executes dropped EXE 1 IoCs

Processes:

uReFSv1.exe

pid process

3132 uReFSv1.exe
Drops file in System32 directory 1 IoCs

Processes:

129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\netprovisionsp\uReFSv1.exe 129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\netprovisionsp\uReFSv1.exe	129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

uReFSv1.exe

pid	process
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe
3132	uReFSv1.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe

pid process

4600 129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exeuReFSv1.exe

pid process

4600 129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
4600 129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
3132 uReFSv1.exe
3132 uReFSv1.exe

pid	process
4600	129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe

pid	process
4600	129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
4600	129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
3132	uReFSv1.exe
3132	uReFSv1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe

description	pid	process	target process
PID 4600 wrote to memory of 3132	4600	129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe	uReFSv1.exe
PID 4600 wrote to memory of 3132	4600	129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe	uReFSv1.exe
PID 4600 wrote to memory of 3132	4600	129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe	uReFSv1.exe

C:\Users\Admin\AppData\Local\Temp\129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\129a61c8b23263cfdf72f551ca5c7229_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\netprovisionsp\uReFSv1.exe
"C:\Windows\SysWOW64\netprovisionsp\uReFSv1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\netprovisionsp\uReFSv1.exe
Filesize
168KB

MD5
129a61c8b23263cfdf72f551ca5c7229

SHA1
75180c01d4eb822052954b2a1d51746f8d89c93e

SHA256
ed4d45ea81b11ef749f9e62fe95543cfc859b746c87e529824b5f8c17476f6a3

SHA512
8aaafac68507e5dd4c3df143359c8d4fa3432b0252b07d098e3b6d67dceb010b878c781b41e2e4ac754a56e9dc11dcfcbe9fe898cb7de91f2c02dc168d217bed

Download Submit
memory/3132-7-0x00000000026A0000-0x00000000026AC000-memory.dmp

Filesize
48KB

Download
memory/3132-11-0x00000000026A0000-0x00000000026AC000-memory.dmp

Filesize
48KB

Download
memory/4600-0-0x00000000027E0000-0x00000000027EC000-memory.dmp

Filesize
48KB

Download
memory/4600-4-0x0000000002290000-0x0000000002299000-memory.dmp

Filesize
36KB

Download
memory/4600-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download