emotet | 4c030d093e7906227a44913e20253dcce7c4dba6ed12baddddd5197f70bb5dba

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 12:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe
Size

544KB
MD5

463d1ebc7e2f352249cbc061d2a210e3
SHA1

9839adb6bd58fcc2f2c32a8d19d04ac7e994b89d
SHA256

4c030d093e7906227a44913e20253dcce7c4dba6ed12baddddd5197f70bb5dba
SHA512

4bb14ef82a8ff25f0907d6c860c08e493b95d8d9e68ea520bb40f6b052315c64087a63999eb70d894c4a48ef37f4ca3533e508b64ce24d307082b26ad2c07774
SSDEEP

6144:1Tp3XYyIMYUTgOBeWoavwiU+yV5g22222222222275WYyk:1Tp3XYBUEOBeGwiUvu5WYyk

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

107.5.122.110:80

199.101.86.6:443

45.55.219.163:443

62.30.7.67:443

185.94.252.104:443

203.117.253.142:80

93.51.50.171:8080

139.130.242.43:80

181.230.116.163:80

37.187.72.193:8080

194.187.133.160:443

167.86.90.214:8080

61.19.246.238:443

98.109.204.230:80

180.92.239.110:8080

121.124.124.40:7080

47.146.117.214:80

110.145.77.103:80

97.82.79.83:80

70.121.172.89:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Executes dropped EXE 1 IoCs

pid	Process
3020	vcamp140.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AuditPolicyGPInterop\vcamp140.exe	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3020	vcamp140.exe
3020	vcamp140.exe
3020	vcamp140.exe
3020	vcamp140.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe
1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe
1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe
3020	vcamp140.exe
3020	vcamp140.exe
3020	vcamp140.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3020	1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe	28
PID 1732 wrote to memory of 3020	1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe	28
PID 1732 wrote to memory of 3020	1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe	28
PID 1732 wrote to memory of 3020	1732	463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\463d1ebc7e2f352249cbc061d2a210e3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\AuditPolicyGPInterop\vcamp140.exe
  "C:\Windows\SysWOW64\AuditPolicyGPInterop\vcamp140.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AuditPolicyGPInterop\vcamp140.exe

Filesize
544KB

MD5
463d1ebc7e2f352249cbc061d2a210e3

SHA1
9839adb6bd58fcc2f2c32a8d19d04ac7e994b89d

SHA256
4c030d093e7906227a44913e20253dcce7c4dba6ed12baddddd5197f70bb5dba

SHA512
4bb14ef82a8ff25f0907d6c860c08e493b95d8d9e68ea520bb40f6b052315c64087a63999eb70d894c4a48ef37f4ca3533e508b64ce24d307082b26ad2c07774

Download Submit
memory/1732-0-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1732-4-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/1732-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3020-7-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/3020-11-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download