Overview

overview

10

Static

static

3

43fa6af89d...18.exe

windows7-x64

10

43fa6af89d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43fa6af89d0e87e5945d408b074176d9_JaffaCakes118.exe

  • Size

    508KB

  • MD5

    43fa6af89d0e87e5945d408b074176d9

  • SHA1

    f61b133369ece418073f99480d17c9420279a371

  • SHA256

    1bad8383e219f6c3f2e7aabb956696ec1daf94d2a4e96959fb15c560a9e4416d

  • SHA512

    10ff87422178b65c6c0ab1bfc14c8b72d11c46a996e4fdf6d7f7d9f7b309a1a11d80259033cc824cfabc623f27259f45b3ed758bdebc012bd13c5517d5198311

  • SSDEEP

    6144:cD4tnT+zJou0QgC82pGejtQ930xbYVzv2rsFBViXRn3eoECjb67LnTyKadUQF/yP:He2CbYVz+wWeoECfWyhdX+4W

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

113.61.76.239:80

111.125.71.22:8080

80.11.158.65:8080

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

80.85.87.122:8080

190.146.131.105:8080

201.213.32.59:80

192.241.146.84:8080

83.165.163.225:80

63.246.252.234:80

181.198.203.45:443

109.169.86.13:8080

45.50.177.164:80

190.97.30.167:990

5.196.35.138:7080

181.36.42.205:443

119.59.124.163:8080

181.231.62.54:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43fa6af89d0e87e5945d408b074176d9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43fa6af89d0e87e5945d408b074176d9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Users\Admin\AppData\Local\Temp\43fa6af89d0e87e5945d408b074176d9_JaffaCakes118.exe
      --7f639d9a
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:4664
  • C:\Windows\SysWOW64\mailboxrun.exe
    "C:\Windows\SysWOW64\mailboxrun.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\mailboxrun.exe
      --395626c9
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/548-11-0x0000000000DC0000-0x0000000000DD7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4072-0-0x00000000022E0000-0x00000000022F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4072-5-0x00000000022C0000-0x00000000022D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4664-6-0x0000000002090000-0x00000000020A7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4664-16-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download