emotet | 78a7ded4f7911dea5d9df835f6b1063dd3d231e9f859b656a1634d84d630625e

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe
Size

66KB
MD5

56bc81878ed511de8382dc7682189a01
SHA1

b887fceeee00e3071b4fe34a262938ca29e4c87a
SHA256

78a7ded4f7911dea5d9df835f6b1063dd3d231e9f859b656a1634d84d630625e
SHA512

2b215c2d5c7de62c9e051ac93a2265fc6123c6dde8f9363bcd5871e02681007fd082305f32a0fb1bcd302a4e5384b251a0eeaa75458f2c300939b04679f7fcf0
SSDEEP

1536:imvvMondlsWeLFKkPoXpkM8yD6aiizM/GpR0gti848l2kircgW9v:fHnlspFKkASCo0xKWHv

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

187.188.166.192:80

181.197.2.80:443

200.90.86.170:8080

94.177.253.126:80

131.0.103.200:8080

70.32.94.58:8080

185.45.24.254:7080

212.112.113.235:80

157.7.164.178:8081

192.241.220.183:8080

203.99.188.203:990

190.117.206.153:443

120.138.101.250:80

91.109.5.28:8080

186.84.173.153:80

181.47.235.26:993

190.228.212.165:50000

75.154.163.1:8090

203.99.188.11:443

216.70.88.55:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

cyanpartner.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	cyanpartner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	cyanpartner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	cyanpartner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	cyanpartner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

cyanpartner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cyanpartner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cyanpartner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cyanpartner.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

cyanpartner.exe

pid	process
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe
3740	cyanpartner.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe

pid process

2116 56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe

pid	process
2116	56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

56bc81878ed511de8382dc7682189a01_JaffaCakes118.execyanpartner.exe

description	pid	process	target process
PID 1448 wrote to memory of 2116	1448	56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe	56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe
PID 1448 wrote to memory of 2116	1448	56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe	56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe
PID 1448 wrote to memory of 2116	1448	56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe	56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe
PID 3204 wrote to memory of 3740	3204	cyanpartner.exe	cyanpartner.exe
PID 3204 wrote to memory of 3740	3204	cyanpartner.exe	cyanpartner.exe
PID 3204 wrote to memory of 3740	3204	cyanpartner.exe	cyanpartner.exe

C:\Users\Admin\AppData\Local\Temp\56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\56bc81878ed511de8382dc7682189a01_JaffaCakes118.exe
--dda93a62
2⤵
- Suspicious behavior: RenamesItself
PID:2116

C:\Windows\SysWOW64\cyanpartner.exe
"C:\Windows\SysWOW64\cyanpartner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\cyanpartner.exe
--2a1d37db
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-0-0x00000000002D0000-0x00000000002E7000-memory.dmp

Filesize
92KB

Download