Overview

overview

10

Static

static

3

48ca3d54b7...18.exe

windows7-x64

10

48ca3d54b7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48ca3d54b752396dfab5057ceb6c1c02_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    48ca3d54b752396dfab5057ceb6c1c02

  • SHA1

    fc37209c11898a1ee4c9476ca384ad502e6cf275

  • SHA256

    2c88c1f457469f4a847598236b0d04ffd7709b2f724ee61431802793d4c358e6

  • SHA512

    a7fd1f7828f48c9b90440e72a7934470ab9145d5852df4dfb3c1d69af2a36243b62197950769c4ee9461f45dc100dff46c9fbe67cd8857c7ff3af72333cb74a7

  • SSDEEP

    1536:9q5eCd4YrxDPUyUUt1inqJqbOlb8Z6J+hMsRwdOddGdhNhV/EsDzQ2zFK:bC+YayUUt4qJqyh++fdThpEWQcg

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

91.105.94.200:80

51.38.124.206:80

38.88.126.202:8080

54.37.42.48:8080

189.2.177.210:443

181.30.61.163:443

185.178.10.77:80

199.203.62.165:80

177.73.0.98:443

87.106.46.107:8080

5.196.35.138:7080

5.189.178.202:8080

185.183.16.47:80

78.249.119.122:80

191.182.6.118:80

96.227.52.8:443

186.103.141.250:443

50.28.51.143:8080

111.67.12.221:8080

50.121.220.50:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet payload 5 IoCs

    Detects Emotet payload in memory.

    trojanbanker
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48ca3d54b752396dfab5057ceb6c1c02_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\48ca3d54b752396dfab5057ceb6c1c02_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\SysWOW64\ARP\objsel.exe
      "C:\Windows\SysWOW64\ARP\objsel.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ARP\objsel.exe
    Filesize

    112KB

    MD5

    48ca3d54b752396dfab5057ceb6c1c02

    SHA1

    fc37209c11898a1ee4c9476ca384ad502e6cf275

    SHA256

    2c88c1f457469f4a847598236b0d04ffd7709b2f724ee61431802793d4c358e6

    SHA512

    a7fd1f7828f48c9b90440e72a7934470ab9145d5852df4dfb3c1d69af2a36243b62197950769c4ee9461f45dc100dff46c9fbe67cd8857c7ff3af72333cb74a7

    Download Submit

  • memory/3400-14-0x00000000004A0000-0x00000000004B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3400-10-0x00000000005E0000-0x00000000005F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3728-4-0x00000000005E0000-0x00000000005F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3728-0-0x00000000005C0000-0x00000000005D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3728-7-0x00000000004D0000-0x00000000004DF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3728-8-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download