emotet | 2896ab3c7791ec300a43427d837ebd16697e0d19a31440e1ace1741944292d01

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 06:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
Size

672KB
MD5

ad34cf2826fba00037f36122d68a7956
SHA1

8620ef61c30021d7954a8813246a94e764cda892
SHA256

2896ab3c7791ec300a43427d837ebd16697e0d19a31440e1ace1741944292d01
SHA512

0da99af6de405ba2689e9b559e4f18cb085ba3463ec15ab95d7e70b05bbb7d93a7e9fa55c0abd9e4a1a75eb82071e835b9c48d0db4df3c1156e9b9e808b65d53
SSDEEP

6144:PtEkXzqXV4beq+3nzgmF3JhpolOrJ5zcEKM5fkLaMiLgLWL7SqaaYo5wzPLNQOIG:PtZb03nzgU3yOrnzt6zEPdAH4c

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

116.91.240.96:80

167.71.227.113:8080

190.85.46.52:7080

162.144.42.60:8080

202.166.170.43:80

95.216.205.155:8080

120.51.34.254:80

103.93.220.182:80

111.89.241.139:80

60.125.114.64:443

45.177.120.37:8080

185.86.148.68:443

75.127.14.170:8080

119.92.77.17:80

203.153.216.178:7080

172.96.190.154:8080

179.5.118.12:80

153.229.219.1:443

139.59.12.63:8080

115.79.195.246:80

rsa_pubkey.plain

1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral2/memory/1884-1-0x00000000006C0000-0x00000000006D2000-memory.dmp	emotet
behavioral2/memory/1884-4-0x00000000006E0000-0x00000000006F0000-memory.dmp	emotet
behavioral2/memory/1884-7-0x00000000006B0000-0x00000000006BF000-memory.dmp	emotet

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1884

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

116.91.240.96:80

ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

260 B
5
167.71.227.113:8080

ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

260 B
5
190.85.46.52:7080

ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

260 B
5
162.144.42.60:8080

ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

260 B
5
202.166.170.43:80

ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

260 B
5
95.216.205.155:8080

ad34cf2826fba00037f36122d68a7956_JaffaCakes118.exe

260 B
5

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

330 B
5

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1884-1-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/1884-4-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1884-7-0x00000000006B0000-0x00000000006BF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.