Overview

overview

10

Static

static

3

7a46ae6300...18.exe

windows7-x64

10

7a46ae6300...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a46ae6300ee36b083ed09468f18adf2_JaffaCakes118.exe

  • Size

    320KB

  • MD5

    7a46ae6300ee36b083ed09468f18adf2

  • SHA1

    cbc78190fe2389c3b7a4d7701de3074e6cb6e236

  • SHA256

    886d04147c42accc7fed45ce59779d58adbd23f0c527615e796a142d4c3cd610

  • SHA512

    e40ab9cde168c79e6c55f97161673a4ef93e197718e2a1969468810078be090f61ac62313400751723b4b6ddbcde770981f4bc9932009e58f103f9722110cf6e

  • SSDEEP

    6144:0eTNh1u2yP0fI6QRcHdFn2yWBA53u3Phhg+dLb9VzOmhy:00Nh1u0A6QkF2pBs3uJu+dH9UIy

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

74.79.103.55:80

190.100.153.162:443

190.6.193.152:8080

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

80.85.87.122:8080

62.75.160.178:8080

71.76.45.83:443

14.160.93.230:80

87.106.77.40:7080

149.135.123.65:80

76.221.133.146:80

46.101.212.195:8080

91.83.93.124:7080

45.8.136.201:80

201.213.32.59:80

2.139.158.136:443

152.170.108.99:443

188.14.39.65:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a46ae6300ee36b083ed09468f18adf2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7a46ae6300ee36b083ed09468f18adf2_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Users\Admin\AppData\Local\Temp\7a46ae6300ee36b083ed09468f18adf2_JaffaCakes118.exe
      --9e47b53
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:3240
  • C:\Windows\SysWOW64\grouphant.exe
    "C:\Windows\SysWOW64\grouphant.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\grouphant.exe
      --64f31654
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2484-11-0x0000000000DD0000-0x0000000000DE7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3240-6-0x0000000000710000-0x0000000000727000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3240-21-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/3600-5-0x0000000000710000-0x0000000000721000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3600-0-0x0000000000730000-0x0000000000747000-memory.dmp

    Filesize

    92KB

    Download