Overview

overview

10

Static

static

3

5310e05568...18.exe

windows7-x64

10

5310e05568...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5310e0556834e80ef9eb0bcf278852f5_JaffaCakes118.exe

  • Size

    392KB

  • MD5

    5310e0556834e80ef9eb0bcf278852f5

  • SHA1

    ae1b37fff2da0dd55e3cfe5e60835dc563d34f97

  • SHA256

    5088f9fc000f8c162c58cf6e6c8c2440db33697d1b5edb8da49d6e9e56e50d2e

  • SHA512

    19bb1b37391e0692d7c0cf920eaaecbf9fef58320e14b6c00711abe72090b4edf0556c8038eb3eb44529bf4a3e1eaf0f818b1006572dad626c41f60a126e1a4d

  • SSDEEP

    6144:vQwl8GGD02Q98eFRDtelT6LXdooCXV5DLvmgB76/Sj2tcm5dqa5/sZS:vr8XD0DxDtyQXS5uPUiz5r57

Score
10/10
emotetepoch3bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

50.63.13.135:8080

80.211.32.88:8080

222.239.249.166:443

54.38.94.197:8080

78.46.87.133:8080

191.100.24.201:50000

200.71.112.158:53

212.129.14.27:8080

190.189.79.73:80

176.58.93.123:80

113.52.135.33:7080

161.18.233.114:80

46.17.6.116:8080

192.241.220.183:8080

162.144.46.90:8080

95.216.207.86:7080

95.216.212.157:8080

217.26.163.82:7080

50.116.78.109:8080

142.93.87.198:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5310e0556834e80ef9eb0bcf278852f5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5310e0556834e80ef9eb0bcf278852f5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\5310e0556834e80ef9eb0bcf278852f5_JaffaCakes118.exe
      --1d820f75
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:2148
  • C:\Windows\SysWOW64\specialzap.exe
    "C:\Windows\SysWOW64\specialzap.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SysWOW64\specialzap.exe
      --3b5e58a2
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2004-5-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2004-0-0x00000000003C0000-0x00000000003D7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2148-6-0x0000000000240000-0x0000000000257000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2148-16-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2256-17-0x00000000004F0000-0x0000000000507000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2764-11-0x0000000000260000-0x0000000000277000-memory.dmp

    Filesize

    92KB

    Download