emotet | 3f958042bb23e821df3e9a3a95c6fc27be6655d1bd89e2c4bb859aecd92c6ae5

Resubmissions

16-06-2024 07:46

240616-jl755ayhrl 10

16-06-2024 07:42

240616-jj7ftayhkr 10

Analysis

max time kernel
1798s
max time network
1800s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe
Size

304KB
MD5

b267a08d8e8549d97a43a812795c6574
SHA1

2c08e0add27dfba945195f74d28918fd7b3d3818
SHA256

3f958042bb23e821df3e9a3a95c6fc27be6655d1bd89e2c4bb859aecd92c6ae5
SHA512

3fe6fb4d1a85e6c6518c07c2ff29ee7817ec7e96f8d269f6262485b3cf7a794aa4661e40231c65eb31b2ea18f8f6950260e81b22e3250bb5a955432b7607b9a8
SSDEEP

3072:J9zXQj0GpJ4viKir9bXpakjnUvbx8ZlVxCM2B7p2V3++1qyqL5M+X6lppI17:J5XQgGpJKkVXJTk7p2/x46lpK

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

24.43.32.186:80

38.111.46.46:8080

134.209.36.254:8080

162.241.242.173:8080

74.120.55.163:80

61.92.17.12:80

219.74.18.66:443

156.155.166.221:80

104.131.44.150:8080

37.139.21.175:8080

94.1.108.190:443

169.239.182.217:8080

220.245.198.194:80

139.99.158.11:443

91.211.88.52:7080

62.75.141.82:80

174.45.13.118:80

137.119.36.33:80

188.219.31.12:80

103.86.49.11:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000240000-0x0000000000252000-memory.dmp	emotet
behavioral1/memory/2872-4-0x0000000000260000-0x0000000000270000-memory.dmp	emotet
behavioral1/memory/2872-7-0x0000000000230000-0x000000000023F000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

winsockhc.exe

pid process

2640 winsockhc.exe
Drops file in System32 directory 1 IoCs

Processes:

b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe	b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

winsockhc.exe

pid	process
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe
2640	winsockhc.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe

pid process

2872 b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe

pid	process
2872	b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe

description	pid	process	target process
PID 2872 wrote to memory of 2640	2872	b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe	winsockhc.exe
PID 2872 wrote to memory of 2640	2872	b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe	winsockhc.exe
PID 2872 wrote to memory of 2640	2872	b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe	winsockhc.exe
PID 2872 wrote to memory of 2640	2872	b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe	winsockhc.exe

C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b267a08d8e8549d97a43a812795c6574_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe
"C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dmdskmgr\winsockhc.exe
Filesize
304KB

MD5
b267a08d8e8549d97a43a812795c6574

SHA1
2c08e0add27dfba945195f74d28918fd7b3d3818

SHA256
3f958042bb23e821df3e9a3a95c6fc27be6655d1bd89e2c4bb859aecd92c6ae5

SHA512
3fe6fb4d1a85e6c6518c07c2ff29ee7817ec7e96f8d269f6262485b3cf7a794aa4661e40231c65eb31b2ea18f8f6950260e81b22e3250bb5a955432b7607b9a8

Download Submit
memory/2872-0-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2872-4-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2872-7-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2872-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download