emotet | 2e140194d24aec4ebe96284aecfc09255305044eb3ad0cf2daa9ddc092dae1a5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe
Size

427KB
MD5

b8a1f3f16a9c2171e5fc3a8bb05699ab
SHA1

8c337d4075704b1ac31a1c24a01b8e848eb8ae8f
SHA256

2e140194d24aec4ebe96284aecfc09255305044eb3ad0cf2daa9ddc092dae1a5
SHA512

1ab83c51ae9f3dea257067c6caa12856f9802f9a368225df656135252135f76255a31ca318c72203c196fd7f51c07807f643b441a09965ed3e7b21ffdf051df4
SSDEEP

6144:vXBr9LW/6DUvum8w71YQvq6H/iaRT8oITZO/rVurq:vXdNDDUvum8w5lv7Ha+ThmZo5uG

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/2628-4-0x00000000007A0000-0x00000000007B0000-memory.dmp	emotet
behavioral2/memory/2628-0-0x0000000000780000-0x0000000000792000-memory.dmp	emotet
behavioral2/memory/2628-7-0x0000000000770000-0x000000000077F000-memory.dmp	emotet
behavioral2/memory/4364-14-0x0000000002100000-0x0000000002110000-memory.dmp	emotet
behavioral2/memory/4364-10-0x00000000020E0000-0x00000000020F2000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

usercpl.exe

pid process

4364 usercpl.exe
Drops file in System32 directory 1 IoCs

Processes:

b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\NPSM\usercpl.exe b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\NPSM\usercpl.exe	b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

usercpl.exe

pid	process
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe
4364	usercpl.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe

pid process

2628 b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe

pid	process
2628	b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe

description	pid	process	target process
PID 2628 wrote to memory of 4364	2628	b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe	usercpl.exe
PID 2628 wrote to memory of 4364	2628	b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe	usercpl.exe
PID 2628 wrote to memory of 4364	2628	b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe	usercpl.exe

C:\Users\Admin\AppData\Local\Temp\b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8a1f3f16a9c2171e5fc3a8bb05699ab_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\NPSM\usercpl.exe
"C:\Windows\SysWOW64\NPSM\usercpl.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NPSM\usercpl.exe
Filesize
427KB

MD5
b8a1f3f16a9c2171e5fc3a8bb05699ab

SHA1
8c337d4075704b1ac31a1c24a01b8e848eb8ae8f

SHA256
2e140194d24aec4ebe96284aecfc09255305044eb3ad0cf2daa9ddc092dae1a5

SHA512
1ab83c51ae9f3dea257067c6caa12856f9802f9a368225df656135252135f76255a31ca318c72203c196fd7f51c07807f643b441a09965ed3e7b21ffdf051df4

Download Submit
memory/2628-4-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/2628-0-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/2628-7-0x0000000000770000-0x000000000077F000-memory.dmp

Filesize
60KB

Download
memory/2628-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4364-14-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/4364-10-0x00000000020E0000-0x00000000020F2000-memory.dmp

Filesize
72KB

Download