emotet | 17be2b8b04f05fc00177b3f239ff7766cf36576c2102067adada7bdcb2146e8b

Analysis

max time kernel
157s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
Size

420KB
MD5

1b046fa80ee82864c1b2f07758be925f
SHA1

148bcd165406cd984dd3f4ea85de73c09d6fc24d
SHA256

17be2b8b04f05fc00177b3f239ff7766cf36576c2102067adada7bdcb2146e8b
SHA512

58b0440fa31962479939bbb5bb893db6ebc46890dd32f6bda32c5d335cfbadf3031081c3aa86fbd21b74353cc6d06006862a5d19b1b7241b2691ee1a4407c41d
SSDEEP

3072:P6j+WEvtjh69I9PcNfwzy0CNdhIoAuTUd2EUk8:hWEvj6W6fwjQfpz02

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exepwdhexa.exepwdhexa.exe

pid	process
2356	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
2356	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
4776	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
4776	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
4104	pwdhexa.exe
4104	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe
3008	pwdhexa.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe

pid process

4776 1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe

pid	process
4776	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exepwdhexa.exe

description	pid	process	target process
PID 2356 wrote to memory of 4776	2356	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
PID 2356 wrote to memory of 4776	2356	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
PID 2356 wrote to memory of 4776	2356	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe	1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
PID 4104 wrote to memory of 3008	4104	pwdhexa.exe	pwdhexa.exe
PID 4104 wrote to memory of 3008	4104	pwdhexa.exe	pwdhexa.exe
PID 4104 wrote to memory of 3008	4104	pwdhexa.exe	pwdhexa.exe

C:\Users\Admin\AppData\Local\Temp\1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b046fa80ee82864c1b2f07758be925f_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:2076

C:\Windows\SysWOW64\pwdhexa.exe
"C:\Windows\SysWOW64\pwdhexa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\pwdhexa.exe
"C:\Windows\SysWOW64\pwdhexa.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2356-0-0x0000000001450000-0x0000000001469000-memory.dmp

Filesize
100KB

Download
memory/2356-1-0x0000000003020000-0x0000000003039000-memory.dmp

Filesize
100KB

Download
memory/2356-5-0x0000000003020000-0x0000000003039000-memory.dmp

Filesize
100KB

Download
memory/2356-6-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/2356-14-0x0000000001450000-0x0000000001469000-memory.dmp

Filesize
100KB

Download
memory/3008-33-0x00000000012F0000-0x0000000001309000-memory.dmp

Filesize
100KB

Download
memory/3008-27-0x0000000001310000-0x0000000001329000-memory.dmp

Filesize
100KB

Download
memory/3008-28-0x00000000012F0000-0x0000000001309000-memory.dmp

Filesize
100KB

Download
memory/3008-29-0x0000000001330000-0x0000000001340000-memory.dmp

Filesize
64KB

Download
memory/3008-23-0x0000000001310000-0x0000000001329000-memory.dmp

Filesize
100KB

Download
memory/4104-17-0x0000000000A60000-0x0000000000A79000-memory.dmp

Filesize
100KB

Download
memory/4104-16-0x0000000000A40000-0x0000000000A59000-memory.dmp

Filesize
100KB

Download
memory/4104-22-0x00000000008A0000-0x00000000008B0000-memory.dmp

Filesize
64KB

Download
memory/4104-21-0x0000000000A60000-0x0000000000A79000-memory.dmp

Filesize
100KB

Download
memory/4104-30-0x0000000000A40000-0x0000000000A59000-memory.dmp

Filesize
100KB

Download
memory/4776-15-0x0000000001020000-0x0000000001039000-memory.dmp

Filesize
100KB

Download
memory/4776-13-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/4776-8-0x0000000001040000-0x0000000001059000-memory.dmp

Filesize
100KB

Download
memory/4776-12-0x0000000001040000-0x0000000001059000-memory.dmp

Filesize
100KB

Download
memory/4776-31-0x00000000008B0000-0x000000000091E000-memory.dmp

Filesize
440KB

Download
memory/4776-32-0x0000000001020000-0x0000000001039000-memory.dmp

Filesize
100KB

Download
memory/4776-7-0x0000000001020000-0x0000000001039000-memory.dmp

Filesize
100KB

Download