emotet | 4b954f0953a2384d3d7fea6d0423b395c385c2ad223430c764234b8d3399ee49

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
Size

306KB
MD5

179c9442c2076554de8093373f98a18f
SHA1

2304718f6e8dc658af7e5f7bfa6bf2e908c9d2f8
SHA256

4b954f0953a2384d3d7fea6d0423b395c385c2ad223430c764234b8d3399ee49
SHA512

ca9495e2cdde1c0cf0c30598d79cd573096fb602604713e00e37b3921a3d1d6e1b93957d0cccc24b19aa9793e11f26a9f9640e7b07ee29f7b1ba2486ed4c951e
SSDEEP

6144:thtLAppK4UTtvh2VuL6g8+fGKrQ3+toJFihLt3A+W:VApATVAuL6gvfGBdJFihLt3A+W

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

179c9442c2076554de8093373f98a18f_JaffaCakes118.exe179c9442c2076554de8093373f98a18f_JaffaCakes118.exewfptuip.exewfptuip.exe

pid	process
1652	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
1652	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
5044	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
5044	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
556	wfptuip.exe
556	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe
1600	wfptuip.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

179c9442c2076554de8093373f98a18f_JaffaCakes118.exe

pid process

5044 179c9442c2076554de8093373f98a18f_JaffaCakes118.exe

pid	process
5044	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

179c9442c2076554de8093373f98a18f_JaffaCakes118.exewfptuip.exe

description	pid	process	target process
PID 1652 wrote to memory of 5044	1652	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
PID 1652 wrote to memory of 5044	1652	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
PID 1652 wrote to memory of 5044	1652	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe	179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
PID 556 wrote to memory of 1600	556	wfptuip.exe	wfptuip.exe
PID 556 wrote to memory of 1600	556	wfptuip.exe	wfptuip.exe
PID 556 wrote to memory of 1600	556	wfptuip.exe	wfptuip.exe

C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179c9442c2076554de8093373f98a18f_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:5044

C:\Windows\SysWOW64\wfptuip.exe
"C:\Windows\SysWOW64\wfptuip.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\wfptuip.exe
"C:\Windows\SysWOW64\wfptuip.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1600-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1600-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1600-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1600-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1652-0-0x0000000002050000-0x0000000002065000-memory.dmp

Filesize
84KB

Download
memory/1652-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1652-4-0x0000000002050000-0x0000000002065000-memory.dmp

Filesize
84KB

Download
memory/5044-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5044-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5044-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download