Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
19-05-2024 10:23
General
-
Target
59eaa74dc01fe6c6c4abc346a4329cc4_JaffaCakes118.exe
-
Size
616KB
-
MD5
59eaa74dc01fe6c6c4abc346a4329cc4
-
SHA1
1a221733c3bd129af88ee522f2be7e69dabbd577
-
SHA256
c31ae55b6b4a2ade8e8cd8b421e733f26e4c690f9f4937ee7b538201467193aa
-
SHA512
05020c4bea8b84ec4e1a8547901e042f84482e7690034d728842b759c86903c55584421df40f58970f455b1fba74ddfa087414fa9598dc4f2eda14adabff7e6c
-
SSDEEP
6144:KNyMUE8JKsa4OQu+/Qj/3XonIgmOUPph8HPcSpoS482U7laNytEm:AypE8JhOQu+IzYnIUUG482p
Malware Config
Extracted
emotet
Epoch2
212.186.191.177:80
91.242.138.5:80
173.13.135.102:80
59.110.18.236:443
45.56.88.91:443
51.68.220.244:8080
206.81.10.215:8080
80.11.163.139:21
182.176.132.213:8090
165.227.156.155:443
118.201.230.249:80
138.201.140.110:8080
46.105.131.87:80
87.106.139.101:8080
24.45.193.161:7080
209.97.168.52:8080
190.12.119.180:443
190.147.215.53:22
191.92.209.110:7080
91.205.215.66:8080
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\59eaa74dc01fe6c6c4abc346a4329cc4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\59eaa74dc01fe6c6c4abc346a4329cc4_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\59eaa74dc01fe6c6c4abc346a4329cc4_JaffaCakes118.exe--22149aa92⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\trnsgroup.exe"C:\Windows\SysWOW64\trnsgroup.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\trnsgroup.exe--333db8922⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\151006038beb3d5e9a4e1db2e6315db6_310807ab-751f-4d81-ae09-b202eaf21e19Filesize
50B
MD52219ed8c4461bbee47dc0ac045013700
SHA1f537ff444a352845422abf004e0087645f903a44
SHA256a2291a4fcb3343cdfad5d198bdc7dd62af09605c264681fa26ed79cecb53c01e
SHA51274026b6cb0f530e6acc0681ac68b990ca68f7baca7244b2954799b3556ee98c88f8d63092863cd391d1851b6e10795f54252da34a5d25da3911779891f8cb822
-
memory/1692-12-0x0000000000E50000-0x0000000000E67000-memory.dmpFilesize
92KB
-
memory/2832-6-0x0000000000620000-0x0000000000637000-memory.dmpFilesize
92KB
-
memory/2832-17-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/4412-19-0x00000000016F0000-0x0000000001707000-memory.dmpFilesize
92KB
-
memory/4912-0-0x00000000007F0000-0x0000000000807000-memory.dmpFilesize
92KB
-
memory/4912-5-0x0000000000640000-0x0000000000651000-memory.dmpFilesize
68KB