emotet | 55330a70b305c34a9bb3197912c3307f5880cde77cff782d509c05621e52e6ab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:59

Target

6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
Size

290KB
MD5

6ee81f19c0b8da85487a32edf30f5bb8
SHA1

b9d3243e178801d63948ff19cd8613baa1dfeee0
SHA256

55330a70b305c34a9bb3197912c3307f5880cde77cff782d509c05621e52e6ab
SHA512

9d7c313536e8809fca41ee52d708118abbf68a20dd616aaf1797e52015c876579aadc224672b98847859e9ff1ea932c43c1d52b9abe1a839b079e2bec0abe8d4
SSDEEP

3072:WH0jhuyeZ9/ulQy0tPzsJgSebg5FkmIyDZlGDBb2whiWz0YXdjyBBR5s2Kg0Y+PE:WHpL28QJgSebWTIyDZK2wh0YXd6BIu

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exestringtabbtn.exestringtabbtn.exe

pid	process
3436	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
3436	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
2308	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
2308	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
1876	stringtabbtn.exe
1876	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe
1032	stringtabbtn.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe

pid process

2308 6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe

pid	process
2308	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exestringtabbtn.exe

description	pid	process	target process
PID 3436 wrote to memory of 2308	3436	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
PID 3436 wrote to memory of 2308	3436	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
PID 3436 wrote to memory of 2308	3436	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe	6ee81f19c0b8da85487a32edf30f5bb8_JaffaCakes118.exe
PID 1876 wrote to memory of 1032	1876	stringtabbtn.exe	stringtabbtn.exe
PID 1876 wrote to memory of 1032	1876	stringtabbtn.exe	stringtabbtn.exe
PID 1876 wrote to memory of 1032	1876	stringtabbtn.exe	stringtabbtn.exe

C:\Windows\SysWOW64\stringtabbtn.exe
"C:\Windows\SysWOW64\stringtabbtn.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\stringtabbtn.exe
  "C:\Windows\SysWOW64\stringtabbtn.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1032-25-0x0000000000760000-0x0000000000777000-memory.dmp

Filesize
92KB

Download
memory/1032-21-0x0000000000760000-0x0000000000777000-memory.dmp

Filesize
92KB

Download
memory/1876-18-0x0000000000D80000-0x0000000000D97000-memory.dmp

Filesize
92KB

Download
memory/1876-14-0x0000000000D80000-0x0000000000D97000-memory.dmp

Filesize
92KB

Download
memory/1876-20-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/1876-19-0x0000000000D60000-0x0000000000D77000-memory.dmp

Filesize
92KB

Download
memory/2308-13-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2308-12-0x0000000000A20000-0x0000000000A37000-memory.dmp

Filesize
92KB

Download
memory/2308-11-0x0000000000A40000-0x0000000000A57000-memory.dmp

Filesize
92KB

Download
memory/2308-7-0x0000000000A40000-0x0000000000A57000-memory.dmp

Filesize
92KB

Download
memory/2308-26-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-27-0x0000000000A20000-0x0000000000A37000-memory.dmp

Filesize
92KB

Download
memory/3436-4-0x0000000000A40000-0x0000000000A57000-memory.dmp

Filesize
92KB

Download
memory/3436-5-0x0000000000A20000-0x0000000000A37000-memory.dmp

Filesize
92KB

Download
memory/3436-6-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/3436-0-0x0000000000A40000-0x0000000000A57000-memory.dmp

Filesize
92KB

Download