Overview

overview

10

Static

static

3

fc50cc6a7c...18.exe

windows7-x64

10

fc50cc6a7c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe

  • Size

    599KB

  • MD5

    fc50cc6a7c5dce83bac1d89769eed9b0

  • SHA1

    85b3ec64bafe9cce78f42f9739dc43a66e46b319

  • SHA256

    1d0c3529617e1fec76eeee481ea39208607c6d883ed4ae992db72e702a139c15

  • SHA512

    b74137f01011c0e3ec40807f992e9295ddae3ac3ae90ed18937b4188c077d6f480211cc671da00b70287896ada4a76cddcd35d637e27cc79e26fc87ea465effb

  • SSDEEP

    6144:B2KTpf+Wg90u6GNOyjTRmUMqFyHEkhmD+ZEGVG4tIabGKFujxO3QHefozLPwNUVf:YJ/UyjFmU3ykfGGabGv+caqLmDf

Score
10/10
emotetepoch1bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

190.217.1.149:80

154.120.227.206:8080

45.56.79.249:443

163.172.40.218:7080

79.143.182.254:8080

190.230.60.129:8080

46.28.111.142:7080

190.182.161.7:8080

186.68.141.218:80

201.163.74.202:443

62.75.143.100:7080

200.57.102.71:8443

41.75.135.93:7080

119.159.150.176:443

46.41.151.103:8080

178.79.163.131:8080

190.10.194.42:8080

104.131.58.132:8080

200.113.106.18:80

186.15.57.7:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Users\Admin\AppData\Local\Temp\fc50cc6a7c5dce83bac1d89769eed9b0_JaffaCakes118.exe
      --32101ecc
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      PID:2872
  • C:\Windows\SysWOW64\boostmetered.exe
    "C:\Windows\SysWOW64\boostmetered.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\SysWOW64\boostmetered.exe
      --736018b7
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:4692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b383383de6c307020e46727a1e601e32_dd06e985-ac7f-4567-b0c7-3752f03c29fc
    Filesize

    50B

    MD5

    e5f21f598543693bef75a70885351301

    SHA1

    79fbe7ba977283d9911109d8c396fc3bd05ba348

    SHA256

    356985f057687ad1cbadc2dc4328d77707ae24f79d69df029610954ced99e380

    SHA512

    ddef4d64549a74bfddc5ae95d4f2086f3a524b4d4198347d9688bbcb90d259221a0acccc662db2a3157c1a723fe696f8256a5add0989c959fd39fc1e526888c2

    Download Submit

  • C:\ProgramData\cjbnyayhde.sikbjse
    Filesize

    50KB

    MD5

    703459bd8d07ccff38c590f9cc4d9fcc

    SHA1

    8d072e60630bd692685238e201f4c1ff6ec3eb19

    SHA256

    05073229146780ea0b230be9b4b34d48b14758ea2e7a4bfa6e0c754690ed549f

    SHA512

    5a94969770fbb4b1a417646c5bb88a7f9f7dc747af96b33567f10a8971cec3ae673cea4a5494fc7a44de68e48cd6f1d95548e12c33f86a431492378e846c8718

    Download Submit

  • memory/876-27-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/876-21-0x0000000001430000-0x0000000001447000-memory.dmp

    Filesize

    92KB

    Download

  • memory/876-26-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/2872-35-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/2872-36-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2872-14-0x0000000002860000-0x0000000002877000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3264-10-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3264-11-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3264-9-0x00000000023F0000-0x0000000002401000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3264-4-0x0000000002410000-0x0000000002427000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4692-30-0x00000000006F0000-0x0000000000707000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4692-38-0x0000000065280000-0x0000000065298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4692-37-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download