Overview

overview

10

Static

static

3

f9569ad8eb...18.exe

windows10-2004-x64

10

Resubmissions

27-09-2024 00:17

240927-ak7crsyara 10

26-09-2024 23:32

240926-3jm7qawgmc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f9569ad8ebb10c0522ba5b2d8b2c06e4_JaffaCakes118

  • Size

    504KB

  • Sample

    240927-ak7crsyara

  • MD5

    f9569ad8ebb10c0522ba5b2d8b2c06e4

  • SHA1

    c55b876905348f70903f97263fafe5f881e8839f

  • SHA256

    8112eaebc89c76acc0aeead1c225b3ab1662ec448cb5673d6bdb04b719826dee

  • SHA512

    6971364e25eb9fea5dedd6c41f71249312ec16af90885c6de3869c0df6be3ac8cb278a1bb3e9576cefb4d4f0672eae459805d3106687996864db8c4c8585152c

  • SSDEEP

    6144:nBzm/LCCddFxrIT9QmsCeB3QN1KYCOLYQONe68z0HMvfMd6f8I5Ber0CQuhcT0:KdrwHsCIA3KYCOLa8kMHMKa0Ci0

Score
10/10
emotetepoch2bankerdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

174.106.122.139:80

159.203.116.47:8080

173.249.6.108:443

104.236.246.93:8080

174.45.13.118:80

137.59.187.107:8080

94.200.114.161:80

37.187.72.193:8080

67.10.155.92:80

121.124.124.40:7080

24.43.99.75:80

75.139.38.211:80

109.74.5.95:8080

137.119.36.33:80

74.134.41.124:80

66.65.136.14:80

94.1.108.190:443

181.169.235.7:80

79.137.83.50:443

104.131.44.150:8080
rsa_pubkey.plain

Targets

    • Target

      f9569ad8ebb10c0522ba5b2d8b2c06e4_JaffaCakes118

    • Size

      504KB

    • MD5

      f9569ad8ebb10c0522ba5b2d8b2c06e4

    • SHA1

      c55b876905348f70903f97263fafe5f881e8839f

    • SHA256

      8112eaebc89c76acc0aeead1c225b3ab1662ec448cb5673d6bdb04b719826dee

    • SHA512

      6971364e25eb9fea5dedd6c41f71249312ec16af90885c6de3869c0df6be3ac8cb278a1bb3e9576cefb4d4f0672eae459805d3106687996864db8c4c8585152c

    • SSDEEP

      6144:nBzm/LCCddFxrIT9QmsCeB3QN1KYCOLYQONe68z0HMvfMd6f8I5Ber0CQuhcT0:KdrwHsCIA3KYCOLa8kMHMKa0Ci0

    Score
    10/10
    emotetepoch2bankerdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Safe Mode Boot

1
T1562.009

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

3
T1120

Query Registry

6
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks