emotet | eef75298d2250187ed51441c54d781a2c51405b34c55589137616e472ad6374b

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
Size

160KB
MD5

685babfac7c83e68bd2f77aa0e7fa2c0
SHA1

c76792be2e10d3ad41cbb706a9c0825a5a90b06e
SHA256

eef75298d2250187ed51441c54d781a2c51405b34c55589137616e472ad6374b
SHA512

5f8dd2fe0c09ddd2567b4f245970b0c736ed6849bb3c6a1e7ab6d52131cf25854f9a765d5a880e1686a7fd6a63ae665eacc4edb6459c5c4ce012b37bbea0fc26
SSDEEP

3072:zPAo6GwlcKWN4NcrhwCB9UjFttCclD9k62FHSrL4wudMHTizCWY86bIWLLNrme/L:DAo6GwlcKxcrGC7UIA9EH2BuaiA

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exepolicjersey.exepolicjersey.exe

pid	process
3264	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
3264	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
3892	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
3892	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
3600	policjersey.exe
3600	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe
3928	policjersey.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe

pid process

3892 685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe

pid	process
3892	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exepolicjersey.exe

description	pid	process	target process
PID 3264 wrote to memory of 3892	3264	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
PID 3264 wrote to memory of 3892	3264	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
PID 3264 wrote to memory of 3892	3264	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
PID 3600 wrote to memory of 3928	3600	policjersey.exe	policjersey.exe
PID 3600 wrote to memory of 3928	3600	policjersey.exe	policjersey.exe
PID 3600 wrote to memory of 3928	3600	policjersey.exe	policjersey.exe

C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3892

C:\Windows\SysWOW64\policjersey.exe
"C:\Windows\SysWOW64\policjersey.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\policjersey.exe
"C:\Windows\SysWOW64\policjersey.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3264-11-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/3264-10-0x00000000005A0000-0x00000000005BA000-memory.dmp

Filesize
104KB

Download
memory/3264-4-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/3264-0-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/3600-20-0x0000000000900000-0x0000000000920000-memory.dmp

Filesize
128KB

Download
memory/3600-28-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/3600-14-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/3600-18-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/3600-19-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/3892-9-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/3892-5-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/3892-12-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/3892-13-0x00000000008F0000-0x0000000000910000-memory.dmp

Filesize
128KB

Download
memory/3892-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3892-30-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/3928-25-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

Filesize
104KB

Download
memory/3928-21-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

Filesize
104KB

Download
memory/3928-27-0x0000000000B00000-0x0000000000B20000-memory.dmp

Filesize
128KB

Download
memory/3928-26-0x0000000000AC0000-0x0000000000ADA000-memory.dmp

Filesize
104KB

Download
memory/3928-31-0x0000000000AC0000-0x0000000000ADA000-memory.dmp

Filesize
104KB

Download