Overview

overview

10

Static

static

3

fc50cc6a7c...18.exe

windows7-x64

10

fc50cc6a7c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe

  • Size

    599KB

  • MD5

    fc50cc6a7c5dce83bac1d89769eed9b0

  • SHA1

    85b3ec64bafe9cce78f42f9739dc43a66e46b319

  • SHA256

    1d0c3529617e1fec76eeee481ea39208607c6d883ed4ae992db72e702a139c15

  • SHA512

    b74137f01011c0e3ec40807f992e9295ddae3ac3ae90ed18937b4188c077d6f480211cc671da00b70287896ada4a76cddcd35d637e27cc79e26fc87ea465effb

  • SSDEEP

    6144:B2KTpf+Wg90u6GNOyjTRmUMqFyHEkhmD+ZEGVG4tIabGKFujxO3QHefozLPwNUVf:YJ/UyjFmU3ykfGGabGv+caqLmDf

Score
10/10
emotetepoch1bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

190.217.1.149:80

154.120.227.206:8080

45.56.79.249:443

163.172.40.218:7080

79.143.182.254:8080

190.230.60.129:8080

46.28.111.142:7080

190.182.161.7:8080

186.68.141.218:80

201.163.74.202:443

62.75.143.100:7080

200.57.102.71:8443

41.75.135.93:7080

119.159.150.176:443

46.41.151.103:8080

178.79.163.131:8080

190.10.194.42:8080

104.131.58.132:8080

200.113.106.18:80

186.15.57.7:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe
      --32101ecc
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      PID:2516
  • C:\Windows\SysWOW64\networkboost.exe
    "C:\Windows\SysWOW64\networkboost.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\networkboost.exe
      --bef8ab87
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cjbnyayhde.sikbjse
    Filesize

    50KB

    MD5

    9bffcad43809c28e03b11e6b74a03bc6

    SHA1

    ab4d88bc59348d980a1b3ec7f20945556a8388af

    SHA256

    9a5e9a22b8f93a4c38e8c8ea448b43ef51261156c3bfa6d914f5d055f2c140eb

    SHA512

    b563c0a604ca61a926c453cd6d77e2d766dc8b582640f5e99a403406e78ef8724c198f4dda48f5d87e7c641c37098dfef04261d56aa3ccd64dea932088b909f8

    Download Submit

  • \ProgramData\cjbnyayhde.sikbjse
    Filesize

    50KB

    MD5

    e225d42975f7a5d0cd99a2451915cc64

    SHA1

    d3dd76999d29a791387c6330c971e337dfcc8d8d

    SHA256

    e676c6845d22728b410a4caa4c4150c0b8140286eacab1e8df8ff9b144ff6ad6

    SHA512

    dd13d521e310a72a31a7a62c1f8fdfdb226740722bcde7206b2a299f6e5ab5139a5dbbc102da5b4103eb65e20d87e9ea21cc43eca037422ac7301f61ba5b3fc9

    Download Submit

  • memory/2332-22-0x00000000004F0000-0x0000000000507000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2332-27-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/2332-28-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2516-30-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2516-29-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/2672-8-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/2672-9-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2672-10-0x0000000000340000-0x0000000000351000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2672-3-0x0000000000360000-0x0000000000377000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3000-34-0x00000000003D0000-0x00000000003E7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3000-40-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3000-39-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download