emotet | d9c346f01f30a157082337c42002739eed034cfac31e5cd506c3e035030b6125

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Size

540KB
MD5

e1880c02d31c7c2516de453d9a2b65c8
SHA1

446f8e6641f7506956b3911a1bd4baab5ac2b494
SHA256

d9c346f01f30a157082337c42002739eed034cfac31e5cd506c3e035030b6125
SHA512

47aca2cd91620bc4b06e03a9521480f28182dc76a9cfe4a00326cfc6a6c5f550fffbe0814cb3c7786f5ec5466e09dcc90fc310a582d83ec586a31ca2f082fa3f
SSDEEP

6144:ep3L2QXYf/A90xnOXmXDAfQ/FIN8NhwtXj3HiIWJrGlF:z4Yn5xnOXoG+FIYmHu8lF

Score

10^/10

emotet epoch3 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

190.16.101.10:80

190.217.1.149:80

45.56.122.75:80

85.25.92.96:8080

94.177.253.126:80

187.188.166.192:80

192.241.220.183:8080

189.132.130.111:8080

186.109.91.136:80

186.92.11.143:8080

203.99.182.135:443

91.109.5.28:8080

70.32.94.58:8080

70.45.30.28:80

203.99.187.137:443

190.228.212.165:50000

51.38.134.203:8080

203.99.188.11:443

184.82.233.15:80

154.120.227.206:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mobsyncpicture.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mobsyncpicture.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mobsyncpicture.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mobsyncpicture.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mobsyncpicture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mobsyncpicture.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mobsyncpicture.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mobsyncpicture.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mobsyncpicture.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	mobsyncpicture.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ = "mfccalc.calculator"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E1880C~1.EXE"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	mobsyncpicture.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Windows\\SysWOW64\\MOBSYN~1.EXE"	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\ = "mfccalc.calculator"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	mobsyncpicture.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	mobsyncpicture.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	mobsyncpicture.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E1880C~1.EXE"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	mobsyncpicture.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	mobsyncpicture.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Windows\\SysWOW64\\MOBSYN~1.EXE"	mobsyncpicture.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4592	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2984	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
2984	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
4592	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
4592	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
5364	mobsyncpicture.exe
5364	mobsyncpicture.exe
716	mobsyncpicture.exe
716	mobsyncpicture.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4592	2984	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe	83
PID 2984 wrote to memory of 4592	2984	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe	83
PID 2984 wrote to memory of 4592	2984	e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe	83
PID 5364 wrote to memory of 716	5364	mobsyncpicture.exe	89
PID 5364 wrote to memory of 716	5364	mobsyncpicture.exe	89
PID 5364 wrote to memory of 716	5364	mobsyncpicture.exe	89

C:\Users\Admin\AppData\Local\Temp\e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\e1880c02d31c7c2516de453d9a2b65c8_JaffaCakes118.exe
  --448709e1
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:4592

C:\Windows\SysWOW64\mobsyncpicture.exe
"C:\Windows\SysWOW64\mobsyncpicture.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5364
- C:\Windows\SysWOW64\mobsyncpicture.exe
  --76493015
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\2ef03a69763eed69ac5af7ea9398ce42_ea0aa4d6-aa48-4733-9e64-85ab59ce35b0

Filesize
1KB

MD5
9dda9585826a275297cc1f39c5586655

SHA1
99428816d846cf9f0c3d1b22d7eeef3586af0768

SHA256
7035a419a43b8d6966a75444449b599f550f2a9f02d1da1bc8d3d22437e9e214

SHA512
def963e4da41871dd28e1a638cdbab4166a565511754d7d7beb1bd4db6d406bd0dfe802af5044e4279846d0fc8147478c5440754c8fba874f257d070be5314e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4182098368-2521458979-3782681353-1000\0f5007522459c86e95ffcc62f32308f1_ea0aa4d6-aa48-4733-9e64-85ab59ce35b0

Filesize
1KB

MD5
4c045888e7d2be10e0f297c196b2f95c

SHA1
42cf30c93cec5e8c417e2f78e27bb3decf30ddf3

SHA256
019f138d651bb7fcbffb403653be86cd24bbaf979f858ee574dd7fcd03240f36

SHA512
71d97cca9943492f8471b229f1deee4d48ca6d2993082d0c398019ac45859e6a91ccaf5aaa151b22e53f7e69926a9708b47748fb991137e5b6aace7e824947da

Download Submit
memory/716-32-0x0000000000E30000-0x0000000000E47000-memory.dmp

Filesize
92KB

Download
memory/2984-3-0x00000000024E0000-0x00000000024F7000-memory.dmp

Filesize
92KB

Download
memory/2984-8-0x00000000023B0000-0x00000000023C1000-memory.dmp

Filesize
68KB

Download
memory/4592-13-0x00000000022B0000-0x00000000022C7000-memory.dmp

Filesize
92KB

Download
memory/4592-27-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5364-22-0x0000000000E90000-0x0000000000EA7000-memory.dmp

Filesize
92KB

Download