emotet | 4b954f0953a2384d3d7fea6d0423b395c385c2ad223430c764234b8d3399ee49

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
Size

306KB
MD5

179c9442c2076554de8093373f98a18f
SHA1

2304718f6e8dc658af7e5f7bfa6bf2e908c9d2f8
SHA256

4b954f0953a2384d3d7fea6d0423b395c385c2ad223430c764234b8d3399ee49
SHA512

ca9495e2cdde1c0cf0c30598d79cd573096fb602604713e00e37b3921a3d1d6e1b93957d0cccc24b19aa9793e11f26a9f9640e7b07ee29f7b1ba2486ed4c951e
SSDEEP

6144:thtLAppK4UTtvh2VuL6g8+fGKrQ3+toJFihLt3A+W:VApATVAuL6gvfGBdJFihLt3A+W

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

slidemapi.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat slidemapi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	slidemapi.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

slidemapi.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	slidemapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	slidemapi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C109675E-93BA-4120-ABB9-61B12E593DD1}\22-8d-65-58-7f-82	slidemapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	slidemapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	slidemapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C109675E-93BA-4120-ABB9-61B12E593DD1}\WpadDecisionReason = "1"	slidemapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C109675E-93BA-4120-ABB9-61B12E593DD1}\WpadDecisionTime = 80f182c3d9c8da01	slidemapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C109675E-93BA-4120-ABB9-61B12E593DD1}\WpadDecision = "0"	slidemapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C109675E-93BA-4120-ABB9-61B12E593DD1}\WpadNetworkName = "Network 3"	slidemapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-8d-65-58-7f-82\WpadDecision = "0"	slidemapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	slidemapi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C109675E-93BA-4120-ABB9-61B12E593DD1}	slidemapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-8d-65-58-7f-82\WpadDecisionReason = "1"	slidemapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-8d-65-58-7f-82\WpadDecisionTime = 80f182c3d9c8da01	slidemapi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	slidemapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	slidemapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	slidemapi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-8d-65-58-7f-82	slidemapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-8d-65-58-7f-82\WpadDetectedUrl	slidemapi.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

179c9442c2076554de8093373f98a18f_JaffaCakes118.exe179c9442c2076554de8093373f98a18f_JaffaCakes118.exeslidemapi.exeslidemapi.exe

pid	process
3048	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
2192	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
1552	slidemapi.exe
2136	slidemapi.exe
2136	slidemapi.exe
2136	slidemapi.exe
2136	slidemapi.exe
2136	slidemapi.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

179c9442c2076554de8093373f98a18f_JaffaCakes118.exe

pid process

2192 179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
Suspicious use of UnmapMainImage 4 IoCs

Processes:

179c9442c2076554de8093373f98a18f_JaffaCakes118.exe179c9442c2076554de8093373f98a18f_JaffaCakes118.exeslidemapi.exeslidemapi.exe

pid process

3048 179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
2192 179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
1552 slidemapi.exe
2136 slidemapi.exe

pid	process
2192	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

179c9442c2076554de8093373f98a18f_JaffaCakes118.exeslidemapi.exe

description	pid	process	target process
PID 3048 wrote to memory of 2192	3048	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
PID 3048 wrote to memory of 2192	3048	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
PID 3048 wrote to memory of 2192	3048	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
PID 3048 wrote to memory of 2192	3048	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
PID 1552 wrote to memory of 2136	1552	slidemapi.exe	slidemapi.exe
PID 1552 wrote to memory of 2136	1552	slidemapi.exe	slidemapi.exe
PID 1552 wrote to memory of 2136	1552	slidemapi.exe	slidemapi.exe
PID 1552 wrote to memory of 2136	1552	slidemapi.exe	slidemapi.exe

C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:2192

C:\Windows\SysWOW64\slidemapi.exe
"C:\Windows\SysWOW64\slidemapi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\slidemapi.exe
"C:\Windows\SysWOW64\slidemapi.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1552-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2136-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2136-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2136-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2136-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2192-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2192-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2192-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3048-0-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/3048-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3048-4-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download