emotet | a0bba5b583f8902e8751da317b0749d20e5d6d0b996c21e79be2703b9972b0c3

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe
Size

667KB
MD5

a8e7ccce2bca95419077d139bc39c9c4
SHA1

ff7014c7e93db2879800ed3fcaad11ff09f5d4ea
SHA256

a0bba5b583f8902e8751da317b0749d20e5d6d0b996c21e79be2703b9972b0c3
SHA512

be5a2a3814cc3756218cf34fecdfa4709e1808a7c8bf9eed11192ff7d7feb44b83d7ba15f0833db8bc16a4a8156f89e3a109972edf97d22ccafedb6cbed70a79
SSDEEP

12288:6+JJG//twCZ1CFy6jpcFnRO6QuiCDuBMoCgazA:6+J6/twC1N6jiVk6Quix4c

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

104.193.103.61:80

104.131.123.136:443

5.196.108.189:8080

121.124.124.40:7080

87.106.139.101:8080

213.196.135.145:80

50.35.17.13:80

38.18.235.242:80

24.43.32.186:80

82.80.155.43:80

103.86.49.11:8080

113.61.66.94:80

24.137.76.62:80

187.49.206.134:80

42.200.107.142:80

24.179.13.119:80

93.147.212.206:80

108.46.29.236:80

105.186.233.33:80

37.139.21.175:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/1968-5-0x0000000000660000-0x0000000000670000-memory.dmp	emotet
behavioral2/memory/1968-0-0x0000000000640000-0x0000000000652000-memory.dmp	emotet
behavioral2/memory/1968-7-0x0000000000610000-0x000000000061F000-memory.dmp	emotet
behavioral2/memory/4376-10-0x0000000002130000-0x0000000002142000-memory.dmp	emotet
behavioral2/memory/4376-14-0x00000000004F0000-0x0000000000500000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

spfileq.exe

pid process

4376 spfileq.exe
Drops file in System32 directory 1 IoCs

Processes:

a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\shell32\spfileq.exe a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shell32\spfileq.exe	a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

spfileq.exe

pid	process
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe
4376	spfileq.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe

pid process

1968 a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe

pid	process
1968	a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe

description	pid	process	target process
PID 1968 wrote to memory of 4376	1968	a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe	spfileq.exe
PID 1968 wrote to memory of 4376	1968	a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe	spfileq.exe
PID 1968 wrote to memory of 4376	1968	a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe	spfileq.exe

C:\Users\Admin\AppData\Local\Temp\a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8e7ccce2bca95419077d139bc39c9c4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\shell32\spfileq.exe
"C:\Windows\SysWOW64\shell32\spfileq.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
1⤵
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\shell32\spfileq.exe
Filesize
667KB

MD5
a8e7ccce2bca95419077d139bc39c9c4

SHA1
ff7014c7e93db2879800ed3fcaad11ff09f5d4ea

SHA256
a0bba5b583f8902e8751da317b0749d20e5d6d0b996c21e79be2703b9972b0c3

SHA512
be5a2a3814cc3756218cf34fecdfa4709e1808a7c8bf9eed11192ff7d7feb44b83d7ba15f0833db8bc16a4a8156f89e3a109972edf97d22ccafedb6cbed70a79

Download Submit
memory/1968-5-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1968-0-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/1968-7-0x0000000000610000-0x000000000061F000-memory.dmp

Filesize
60KB

Download
memory/1968-8-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4376-10-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/4376-14-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download