Overview

overview

10

Static

static

3

72556988fd...18.exe

windows7-x64

10

72556988fd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe

  • Size

    392KB

  • MD5

    72556988fd1623efd2e90ed87b14e644

  • SHA1

    5f02ee8bb59504cc2325427759cf50fb1ea3d1f1

  • SHA256

    f2ba7468f0bd780ad29c66bd01d7e2e9780040eacfe736bfa861eb08908cc7be

  • SHA512

    1eb14a4e565b9e488652e1bc9051fc1130a3687916cb99fd99201e2b3e2db366c7d6fec939c7064f2c915a9af318c4651941d114ad95ad0da96ced28b36b05a2

  • SSDEEP

    6144:vQwl8GGD02Q98eFRDtelT6LXdooCXV5DLvmgB76/Sj2tcm5dqa5/sZS:vr8XD0DxDtyQXS5uPUiz5r5J

Score
10/10
emotetepoch3bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

50.63.13.135:8080

80.211.32.88:8080

222.239.249.166:443

54.38.94.197:8080

78.46.87.133:8080

191.100.24.201:50000

200.71.112.158:53

212.129.14.27:8080

190.189.79.73:80

176.58.93.123:80

113.52.135.33:7080

161.18.233.114:80

46.17.6.116:8080

192.241.220.183:8080

162.144.46.90:8080

95.216.207.86:7080

95.216.212.157:8080

217.26.163.82:7080

50.116.78.109:8080

142.93.87.198:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\72556988fd1623efd2e90ed87b14e644_JaffaCakes118.exe
      --f05c3239
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:4920
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
    1⤵
      PID:2740
    • C:\Windows\SysWOW64\leeltextto.exe
      "C:\Windows\SysWOW64\leeltextto.exe"
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\leeltextto.exe
        --d7b643ba
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\27c0738ed88ae919a1711a9b1324b5a5_d2547453-e731-4fdf-8f92-95f955a44aca
      Filesize

      50B

      MD5

      dd78062e166a7d28ea259d66acf16e7b

      SHA1

      b4799b14e9c354d2f2e954906c8a2ebf1262388d

      SHA256

      02d89b3d50c411c1ad7b4d2555f08620bccc5132adb6c965c043912489cbce8a

      SHA512

      2973d854e2c4288ed671a9b92ad97e161811112800d070bdf6d6f482bfe696cfcc7104ffa2a2102900a9a0fda02d558ecb15744cd5a7fb84b4948b7278edfb49

      Download Submit
    • memory/1384-0-0x0000000002260000-0x0000000002277000-memory.dmp
      Filesize

      92KB

      Download
    • memory/1384-5-0x0000000000610000-0x0000000000621000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1812-12-0x0000000000E70000-0x0000000000E87000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3216-19-0x0000000000E40000-0x0000000000E57000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4920-6-0x00000000006C0000-0x00000000006D7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4920-18-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download