emotet | c8de6f317f5e229ddc162a89867520de23a899aeff2e4b43a25cc914aba20ea5

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe
Size

448KB
MD5

e45cac072be637a8b767748d9a4aa225
SHA1

3960e4c824cee5e6d52a987622d574af87f86960
SHA256

c8de6f317f5e229ddc162a89867520de23a899aeff2e4b43a25cc914aba20ea5
SHA512

78377f8dfc6207a4ba5f33b2995da0dc5d01c2b7dbe2f92553295867059aafc6bbd021b6dabf5050db70d0f27676d85da2bbab143034cc7dd4a04ba8e267ee39
SSDEEP

12288:SfzaBuiszJbE9mO4sl9kHAOyQkNvOzxr:SbMmO4sl9gR2Ot

Score

10^/10

emotet epoch3 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

71.57.180.213:80

185.86.148.68:443

168.235.82.183:8080

181.113.229.139:443

181.134.9.162:80

217.199.160.224:8080

105.209.235.113:8080

216.75.37.196:8080

97.104.107.190:80

203.153.216.182:7080

107.161.30.122:8080

41.106.96.12:80

202.5.47.71:80

201.235.10.215:80

105.213.67.88:80

115.79.195.246:80

179.5.118.12:80

212.112.113.235:80

139.59.12.63:8080

177.37.81.212:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 4 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral2/memory/3632-0-0x00000000023E0000-0x00000000023E9000-memory.dmp	emotet
behavioral2/memory/3632-1-0x00000000024F0000-0x00000000024FC000-memory.dmp	emotet
behavioral2/memory/4608-7-0x00000000022C0000-0x00000000022CC000-memory.dmp	emotet
behavioral2/memory/4608-11-0x00000000022C0000-0x00000000022CC000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

pid	Process
4608	KBDA3.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MapConfiguration\KBDA3.exe	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KBDA3.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe
4608	KBDA3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3632	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3632	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe
3632	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe
4608	KBDA3.exe
4608	KBDA3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 4608	3632	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe	86
PID 3632 wrote to memory of 4608	3632	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe	86
PID 3632 wrote to memory of 4608	3632	e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e45cac072be637a8b767748d9a4aa225_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\SysWOW64\MapConfiguration\KBDA3.exe
  "C:\Windows\SysWOW64\MapConfiguration\KBDA3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MapConfiguration\KBDA3.exe

Filesize
448KB

MD5
e45cac072be637a8b767748d9a4aa225

SHA1
3960e4c824cee5e6d52a987622d574af87f86960

SHA256
c8de6f317f5e229ddc162a89867520de23a899aeff2e4b43a25cc914aba20ea5

SHA512
78377f8dfc6207a4ba5f33b2995da0dc5d01c2b7dbe2f92553295867059aafc6bbd021b6dabf5050db70d0f27676d85da2bbab143034cc7dd4a04ba8e267ee39

Download Submit
memory/3632-0-0x00000000023E0000-0x00000000023E9000-memory.dmp

Filesize
36KB

Download
memory/3632-1-0x00000000024F0000-0x00000000024FC000-memory.dmp

Filesize
48KB

Download
memory/3632-6-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4608-7-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/4608-11-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download