Overview

overview

10

Static

static

3

631545bb91...18.exe

windows7-x64

10

631545bb91...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe

  • Size

    551KB

  • MD5

    631545bb910def12263fbd08ad675d6e

  • SHA1

    685fe2a44c4d2d803ec605b1e03ddec3e65e2a19

  • SHA256

    2091a24d7e03980bcd3f18b5a71ca87a93e4f4382810de2ad817086c626d3505

  • SHA512

    fb38ac528a5f53ccb2dde9310f6166a5560e2d4089f2106f48983a49efa9b2ae6574f5385f238aa08b9355a5180004548b210a2459d6b191185b4b0cd7b7fe9e

  • SSDEEP

    12288:JjVeneMEuEB2ZVirlydPUGUuhshCK+NeFxAri6If0LecJDFqs:VcneFJB2irl6UuhzK+NeFxAri6IfmJJq

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

111.119.233.65:80

190.210.184.138:995

51.255.165.160:8080

45.56.79.249:443

163.172.40.218:7080

91.205.215.57:7080

68.183.170.114:8080

190.217.1.149:80

62.75.160.178:8080

200.113.106.18:80

5.196.35.138:7080

89.188.124.145:443

186.23.132.93:990

51.15.8.192:8080

190.38.14.52:80

217.199.160.224:8080

207.154.204.40:8080

142.93.114.137:8080

94.183.71.206:7080

190.104.253.234:990
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
      --1971609f
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:1876
  • C:\Windows\SysWOW64\builderconman.exe
    "C:\Windows\SysWOW64\builderconman.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\builderconman.exe
      --1b0fa829
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1876-6-0x0000000000300000-0x0000000000317000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1876-16-0x0000000000400000-0x0000000000491000-memory.dmp
    Filesize

    580KB

    Download
  • memory/2256-0-0x00000000002F0000-0x0000000000307000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2256-5-0x00000000002D0000-0x00000000002E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2528-11-0x0000000000970000-0x0000000000987000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2612-17-0x00000000002C0000-0x00000000002D7000-memory.dmp
    Filesize

    92KB

    Download