Overview

overview

10

Static

static

1

f777dc6fc5...18.doc

windows7-x64

10

f777dc6fc5...18.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f777dc6fc518832307d3a3818ee6e90d_JaffaCakes118

  • Size

    201KB

  • Sample

    240926-d3hnxayapf

  • MD5

    f777dc6fc518832307d3a3818ee6e90d

  • SHA1

    56fe08706cd9054da2dd36c3216b456c4d557d08

  • SHA256

    00d2206a0492af4e5ca8c9d8b67dc673e53caab5243f9104ccb7dd7248462a37

  • SHA512

    6d081b60506563aa1fa0571c9491996f9b9ca4ecf87ea5ebfc2637c2621a369b3536670fbba0e5846de274a7c971e64e7cd78a7bbb2bbbfeb5a192cf1402a880

  • SSDEEP

    3072:dUqJ1NgsA8k/gvh0NZ0lGX1nZ7ZFpSgKsiEHE+b64JM:dBtgVIveNZvnjzKjEkc6cM

Score
10/10
emotetepoch1bankerdiscoverytrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://bavhome.com/wp-content/td/
exe.dropper

http://hercinovic.com/cgi-bin/mZt/
exe.dropper

https://jeffdahlke.com/css/3u/
exe.dropper

http://calledtochange.org/CalledtoChange/V/
exe.dropper

http://daoisthealing.com/cgi-bin/c/
exe.dropper

https://scyzm.net/wp-content/j/
exe.dropper

http://www.bismarjeparamebel.com/u/pCp/

Extracted

Family

emotet

Botnet

Epoch1

C2

12.163.208.58:80

45.33.35.74:8080

87.106.253.248:8080

192.241.146.84:8080

190.115.18.139:8080

65.36.62.20:80

170.81.48.2:80

83.169.21.32:7080

185.232.182.218:80

190.2.31.172:80

77.106.157.34:8080

82.230.1.24:80

202.4.58.197:80

201.213.177.139:80

78.249.119.122:80

123.51.47.18:80

77.90.136.129:8080

60.93.23.51:80

152.169.22.67:80

190.117.79.209:80
rsa_pubkey.plain

Targets

    • Target

      f777dc6fc518832307d3a3818ee6e90d_JaffaCakes118

    • Size

      201KB

    • MD5

      f777dc6fc518832307d3a3818ee6e90d

    • SHA1

      56fe08706cd9054da2dd36c3216b456c4d557d08

    • SHA256

      00d2206a0492af4e5ca8c9d8b67dc673e53caab5243f9104ccb7dd7248462a37

    • SHA512

      6d081b60506563aa1fa0571c9491996f9b9ca4ecf87ea5ebfc2637c2621a369b3536670fbba0e5846de274a7c971e64e7cd78a7bbb2bbbfeb5a192cf1402a880

    • SSDEEP

      3072:dUqJ1NgsA8k/gvh0NZ0lGX1nZ7ZFpSgKsiEHE+b64JM:dBtgVIveNZvnjzKjEkc6cM

    Score
    10/10
    discoveryemotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks