Overview

overview

10

Static

static

3

65368ea5ad...18.exe

windows7-x64

10

65368ea5ad...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65368ea5adaeeca3a9f75efdeebc466d_JaffaCakes118.exe

  • Size

    336KB

  • MD5

    65368ea5adaeeca3a9f75efdeebc466d

  • SHA1

    b8e18a8852931c4a6fb9053d50c1a3fe82a9b5db

  • SHA256

    1f0a680d6371c881837f94db5b603571c510c8eaea511e77498427eae944420e

  • SHA512

    206e28a45de716054b852f2defe5adc2b7f4fa032545b8ccc2c6511848a83949c86e45d4d467f7b7a83f05370c0191f4fec55f4e165a89373d6f724e66ff60b1

  • SSDEEP

    6144:G6RABINtOofnGFxg9930Rgr35LvHdv9ZObVSa6frUnPzwT:GyABIN8oIg9FPvOGYnPA

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

152.170.108.99:443

99.252.27.6:80

93.148.252.90:80

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

80.85.87.122:8080

2.139.158.136:443

80.11.158.65:8080

79.31.85.103:80

77.55.211.77:8080

96.61.113.203:80

181.198.203.45:443

142.93.114.137:8080

186.15.83.52:8080

181.36.42.205:443

68.183.190.199:8080

159.203.204.126:8080

50.28.51.143:8080

46.101.212.195:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65368ea5adaeeca3a9f75efdeebc466d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65368ea5adaeeca3a9f75efdeebc466d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\65368ea5adaeeca3a9f75efdeebc466d_JaffaCakes118.exe
      --1f55312e
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:1628
  • C:\Windows\SysWOW64\trnsgroup.exe
    "C:\Windows\SysWOW64\trnsgroup.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Windows\SysWOW64\trnsgroup.exe
      --333db892
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1556-0-0x0000000000350000-0x0000000000367000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1560-10-0x0000000000260000-0x0000000000277000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1628-5-0x00000000002F0000-0x0000000000307000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1628-15-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/2912-16-0x00000000003B0000-0x00000000003C7000-memory.dmp
    Filesize

    92KB

    Download