Overview

overview

10

Static

static

3

5b0af3dce1...18.exe

windows7-x64

10

5b0af3dce1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe

  • Size

    416KB

  • MD5

    5b0af3dce15d92a5a7b8a37de83eeaa7

  • SHA1

    6dcd0197106aad03ebb99fe5b48e07030eee313c

  • SHA256

    75d39cde8311668ffaea4a2211eb81690af2cfb39e8407dd73fdac3e1c7cc777

  • SHA512

    6c02ee833a5c348ebf81d00a27de74b727055636da4fb8cda0fbcc7f81d8627731c7af22842cb80b061f233d2f29791b1c1342c95d6fce611c7f5d28a7a4be61

  • SSDEEP

    6144:BL0ofRj4RzQF/zpWDdnXrZ+S7fSShT7bh1XhtGpmjc95bTYDbpaX:BLVRsRzQDWDxZ+gf17bh1XEm4ffobpaX

Score
10/10
emotetepoch3bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

178.153.91.22:80

92.17.138.248:80

114.183.140.94:80

172.105.213.30:80

69.30.205.162:7080

50.63.13.135:8080

192.161.190.171:8080

210.111.160.220:80

181.44.166.242:80

41.218.118.66:80

46.17.6.116:8080

142.93.87.198:8080

113.52.135.33:7080

187.177.155.123:990

172.90.70.168:443

198.57.217.170:8080

123.142.37.165:80

95.216.212.157:8080

187.250.92.82:80

216.75.37.196:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
      --ba70c300
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:2864
  • C:\Windows\SysWOW64\mailboxxcl.exe
    "C:\Windows\SysWOW64\mailboxxcl.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\mailboxxcl.exe
      --2760295f
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1688-5-0x0000000000220000-0x0000000000231000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1688-0-0x0000000000240000-0x0000000000257000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2512-18-0x00000000004F0000-0x0000000000507000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2616-11-0x0000000000350000-0x0000000000367000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2864-16-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download