emotet | 392b1e9b1d943bf15c0668b0494fdb1a23eb57f44e0afae26ebcf9ed356528e4

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
Size

120KB
MD5

6c757d678105b9c79e56aeae552871b2
SHA1

53e9563337201cef300c192de8fc9c20688e6d69
SHA256

392b1e9b1d943bf15c0668b0494fdb1a23eb57f44e0afae26ebcf9ed356528e4
SHA512

30711d53941c43ab17f51eec1171542013899382b53e4e5c32e81cd46925be35fc4eae58fa1e41ff27db1fe3c6a0289332a58cb6b9738e655ac2cdb0dd4c85c6
SSDEEP

1536:hh+VKbz74iVTtbnEQhhSqklN4oyk2tO+ELlDStvvztFTzmcK:hhTHMi/EQORlyk28J2dvZN5K

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exeboostrule.exeboostrule.exe

pid	process
2892	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
2892	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
2104	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
2104	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
3184	boostrule.exe
3184	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe
2056	boostrule.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe

pid process

2104 6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe

pid	process
2104	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exeboostrule.exe

description	pid	process	target process
PID 2892 wrote to memory of 2104	2892	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
PID 2892 wrote to memory of 2104	2892	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
PID 2892 wrote to memory of 2104	2892	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe	6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
PID 3184 wrote to memory of 2056	3184	boostrule.exe	boostrule.exe
PID 3184 wrote to memory of 2056	3184	boostrule.exe	boostrule.exe
PID 3184 wrote to memory of 2056	3184	boostrule.exe	boostrule.exe

C:\Users\Admin\AppData\Local\Temp\6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6c757d678105b9c79e56aeae552871b2_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2104

C:\Windows\SysWOW64\boostrule.exe
"C:\Windows\SysWOW64\boostrule.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\boostrule.exe
"C:\Windows\SysWOW64\boostrule.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-23-0x00000000006F0000-0x0000000000708000-memory.dmp

Filesize
96KB

Download
memory/2056-26-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/2056-18-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/2056-22-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/2104-11-0x0000000000A20000-0x0000000000A38000-memory.dmp

Filesize
96KB

Download
memory/2104-10-0x00000000006E0000-0x00000000006F7000-memory.dmp

Filesize
92KB

Download
memory/2104-25-0x00000000006E0000-0x00000000006F7000-memory.dmp

Filesize
92KB

Download
memory/2104-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2892-0-0x0000000000A00000-0x0000000000A17000-memory.dmp

Filesize
92KB

Download
memory/2892-4-0x00000000009E0000-0x00000000009F7000-memory.dmp

Filesize
92KB

Download
memory/2892-5-0x0000000000A20000-0x0000000000A38000-memory.dmp

Filesize
96KB

Download
memory/3184-12-0x0000000000D30000-0x0000000000D47000-memory.dmp

Filesize
92KB

Download
memory/3184-17-0x0000000000D50000-0x0000000000D68000-memory.dmp

Filesize
96KB

Download
memory/3184-16-0x0000000000D10000-0x0000000000D27000-memory.dmp

Filesize
92KB

Download