Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d03185f82b...18.exe

windows7-x64

10

d03185f82b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 18:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe

  • Size

    228KB

  • MD5

    d03185f82b1ed66bd5ba3bf5c73c6ab6

  • SHA1

    4597c9c948d334daa6535e70152ee79e16334906

  • SHA256

    bae984ef6a0650c09f889ea10e687cc45192d1505b8c66b4f2bff1fe0ccf6fd4

  • SHA512

    00af1a8e8a5641a94025916f849161adc9f9abeab27556e0b0b702505ce55e57f8dafa2d34caf8249d3175640f7d7f1ba966b75c837804da9f59a923ffddf6a7

  • SSDEEP

    3072:IY7i9P50fPlwpHzAFE4nga4YKO1fUMqKXkbbd4b:TGDNzAZga4nx4a6

Score
10/10
emotetepoch2bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

174.106.122.139:80

159.203.116.47:8080

173.249.6.108:443

104.236.246.93:8080

174.45.13.118:80

137.59.187.107:8080

94.200.114.161:80

37.187.72.193:8080

67.10.155.92:80

121.124.124.40:7080

24.43.99.75:80

75.139.38.211:80

109.74.5.95:8080

137.119.36.33:80

74.134.41.124:80

66.65.136.14:80

94.1.108.190:443

181.169.235.7:80

79.137.83.50:443

104.131.44.150:8080
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

    trojanbanker
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3000
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4548,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:8
    1⤵
      PID:396

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      67.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
    • 174.106.122.139:80
      d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe
      260 B
       5
    • 159.203.116.47:8080
      d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe
      260 B
       5
    • 173.249.6.108:443
      d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe
      260 B
       5
    • 104.236.246.93:8080
      d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe
      260 B
       5
    • 174.45.13.118:80
      d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe
      260 B
       5
    • 137.59.187.107:8080
      d03185f82b1ed66bd5ba3bf5c73c6ab6_JaffaCakes118.exe
      260 B
       5
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      330 B
       5

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      67.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      67.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      219 B
       144 B
       3
      1

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      95.221.229.192.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3000-4-0x00000000006D0000-0x00000000006E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3000-0-0x00000000006B0000-0x00000000006C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3000-7-0x0000000000590000-0x000000000059F000-memory.dmp

      Filesize

      60KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.