Overview

overview

10

Static

static

3

JaffaCakes...80.dll

windows7-x64

10

JaffaCakes...80.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e9a370aa7c2f48d82be7ced29e57a0abe99a6f5ed854130b1a9ac5950318ce80.dll

  • Size

    432KB

  • MD5

    0598691fb39419103a491fc5a46ad3d8

  • SHA1

    64ac7a02ec4707c2986db224910477176de1f29f

  • SHA256

    e9a370aa7c2f48d82be7ced29e57a0abe99a6f5ed854130b1a9ac5950318ce80

  • SHA512

    665f660912be0a3b3feb7616377377b47111e3df3bf6f5003e6db3e48d3b34a4c53326b19f573d85e43098adacd53ea818f9a44d43105743e1693c6bc67d9dd2

  • SSDEEP

    12288:rkEjer16eQSqXL4m1EiOS1OrX3sBqCjM7cuJcXViQjnbbyADuCgs:rk2E1kEi1asBqCM70iQjbFuO

Score
10/10
emotetepoch2bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

24.231.88.85:80

191.112.178.60:80

50.116.111.59:8080

173.249.20.233:443

188.165.214.98:8080

74.40.205.197:443

62.75.141.82:80

2.58.16.89:8080

188.219.31.12:80

95.213.236.64:8080

72.186.136.247:443

185.201.9.197:8080

203.153.216.189:7080

202.134.4.216:8080

72.229.97.235:80

24.179.13.119:80

174.118.202.24:443

74.208.45.104:8080

51.89.36.180:443

202.141.243.254:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Blocklisted process makes network request 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e9a370aa7c2f48d82be7ced29e57a0abe99a6f5ed854130b1a9ac5950318ce80.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e9a370aa7c2f48d82be7ced29e57a0abe99a6f5ed854130b1a9ac5950318ce80.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/728-0-0x00000000028D0000-0x00000000028F0000-memory.dmp

    Filesize

    128KB

    Download