emotet | 366ceaeb462097e2b7307c946a7db61915eeede5ed01653de86d18eb827b1fd4

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
Size

132KB
MD5

559b94a546cc5d78fcccb981cb3f7f91
SHA1

916ea070c175ccbded241741e9b43d1cfc6c86b1
SHA256

366ceaeb462097e2b7307c946a7db61915eeede5ed01653de86d18eb827b1fd4
SHA512

a38052c1aaeb9df89aad0d889df6889c4fd8ac75decf5de6c1100a53a2fbd0da327c6a61a137c96c46dae4d913b75b935fb0afd26221b706eb8ee056a7794caa
SSDEEP

1536:i3jjwvgzuv/qmOZlzfm70X9DwPbtfqY6gw6d2qOYgd1TZfM8381yhzKfRLqznDyX:ajjw/v/E/KYwlVd2kgbNy14zDM0XL6

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exeknownsensor.exeknownsensor.exe

pid	process
4788	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
4788	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
1940	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
1940	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
5044	knownsensor.exe
5044	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe
4000	knownsensor.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe

pid process

1940 559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe

pid	process
1940	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exeknownsensor.exe

description	pid	process	target process
PID 4788 wrote to memory of 1940	4788	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
PID 4788 wrote to memory of 1940	4788	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
PID 4788 wrote to memory of 1940	4788	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe	559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
PID 5044 wrote to memory of 4000	5044	knownsensor.exe	knownsensor.exe
PID 5044 wrote to memory of 4000	5044	knownsensor.exe	knownsensor.exe
PID 5044 wrote to memory of 4000	5044	knownsensor.exe	knownsensor.exe

C:\Users\Admin\AppData\Local\Temp\559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\559b94a546cc5d78fcccb981cb3f7f91_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1940

C:\Windows\SysWOW64\knownsensor.exe
"C:\Windows\SysWOW64\knownsensor.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\knownsensor.exe
"C:\Windows\SysWOW64\knownsensor.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-12-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/1940-30-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/1940-29-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/1940-7-0x0000000000790000-0x00000000007A9000-memory.dmp

Filesize
100KB

Download
memory/1940-11-0x0000000000790000-0x00000000007A9000-memory.dmp

Filesize
100KB

Download
memory/1940-13-0x00000000009C0000-0x00000000009E0000-memory.dmp

Filesize
128KB

Download
memory/4000-27-0x0000000000FB0000-0x0000000000FC9000-memory.dmp

Filesize
100KB

Download
memory/4000-31-0x0000000000FB0000-0x0000000000FC9000-memory.dmp

Filesize
100KB

Download
memory/4000-28-0x0000000000FF0000-0x0000000001010000-memory.dmp

Filesize
128KB

Download
memory/4000-26-0x0000000000FD0000-0x0000000000FE9000-memory.dmp

Filesize
100KB

Download
memory/4000-22-0x0000000000FD0000-0x0000000000FE9000-memory.dmp

Filesize
100KB

Download
memory/4788-5-0x0000000001050000-0x0000000001069000-memory.dmp

Filesize
100KB

Download
memory/4788-14-0x0000000001050000-0x0000000001069000-memory.dmp

Filesize
100KB

Download
memory/4788-0-0x0000000001070000-0x0000000001089000-memory.dmp

Filesize
100KB

Download
memory/4788-6-0x0000000001090000-0x00000000010B0000-memory.dmp

Filesize
128KB

Download
memory/4788-4-0x0000000001070000-0x0000000001089000-memory.dmp

Filesize
100KB

Download
memory/5044-20-0x00000000011E0000-0x00000000011F9000-memory.dmp

Filesize
100KB

Download
memory/5044-15-0x0000000001200000-0x0000000001219000-memory.dmp

Filesize
100KB

Download
memory/5044-19-0x0000000001200000-0x0000000001219000-memory.dmp

Filesize
100KB

Download
memory/5044-21-0x0000000001220000-0x0000000001240000-memory.dmp

Filesize
128KB

Download