emotet | aef15cb2d8a55d05eaad934ed73489e6411562f279efeaf604fb63fc2b957c6a

Analysis

max time kernel
134s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
Size

532KB
MD5

1880a72494233fc8cf703e4083d88444
SHA1

b60166a5ecc885bfb5499703f10a8ffe02330ef7
SHA256

aef15cb2d8a55d05eaad934ed73489e6411562f279efeaf604fb63fc2b957c6a
SHA512

f01a70ed0d02b99dadf3c658678aafc19acc894c2a454a3df426222b9a59d5d99f3fbf09dacebe4d7f653daa3025ef3cdc18176c784bac0e368fd026aae833e1
SSDEEP

6144:1i3lLwdGzHnKSl+hwWu2e8ODcJ0Lv3paCgvgMdyv:1ewYzHKSRWdefDceId

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

94.205.247.10:80

86.22.221.170:80

85.25.255.207:8080

185.94.252.13:443

94.177.216.217:8080

186.4.172.5:20

198.199.114.69:8080

45.33.49.124:443

200.71.148.138:8080

24.45.195.162:7080

136.243.177.26:8080

95.128.43.213:8080

182.176.132.213:8090

190.228.72.244:53

152.89.236.214:8080

27.4.80.183:443

78.24.219.147:8080

62.75.187.192:8080

67.225.229.55:8080

83.136.245.190:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

pagesddl.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pagesddl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pagesddl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pagesddl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pagesddl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

pagesddl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pagesddl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pagesddl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pagesddl.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

pagesddl.exe

pid	process
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe

pid process

3920 1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe

pid	process
3920	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe1880a72494233fc8cf703e4083d88444_JaffaCakes118.exepagesddl.exepagesddl.exe

pid	process
1508	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
1508	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
3920	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
3920	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
368	pagesddl.exe
368	pagesddl.exe
4468	pagesddl.exe
4468	pagesddl.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1880a72494233fc8cf703e4083d88444_JaffaCakes118.exepagesddl.exe

description	pid	process	target process
PID 1508 wrote to memory of 3920	1508	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
PID 1508 wrote to memory of 3920	1508	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
PID 1508 wrote to memory of 3920	1508	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe	1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
PID 368 wrote to memory of 4468	368	pagesddl.exe	pagesddl.exe
PID 368 wrote to memory of 4468	368	pagesddl.exe	pagesddl.exe
PID 368 wrote to memory of 4468	368	pagesddl.exe	pagesddl.exe

C:\Users\Admin\AppData\Local\Temp\1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\1880a72494233fc8cf703e4083d88444_JaffaCakes118.exe
  --1f92175c
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:3920

C:\Windows\SysWOW64\pagesddl.exe
"C:\Windows\SysWOW64\pagesddl.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\pagesddl.exe
  --dfbf157a
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-11-0x0000000000F40000-0x0000000000F54000-memory.dmp

Filesize
80KB

Download
memory/1508-0-0x00000000022B0000-0x00000000022C4000-memory.dmp

Filesize
80KB

Download
memory/1508-5-0x0000000002200000-0x000000000220F000-memory.dmp

Filesize
60KB

Download
memory/3920-6-0x0000000002250000-0x0000000002264000-memory.dmp

Filesize
80KB

Download
memory/3920-16-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4468-17-0x0000000000D80000-0x0000000000D94000-memory.dmp

Filesize
80KB

Download