This work is licensed under a Creative Commons Attribution 4.0 International License. To view a copy of this license visit

Transcription

1 Sample: e700c5cb85f ba8d48508ff0 P3pper Reports - P3pper Twitter - This report has been generated automatically by a set of malware analysis tools. This work is licensed under a Creative Commons Attribution 4.0 International License. To view a copy of this license visit Classification: #BANKER #EMOTET (based on p3pperp0tts rules) Analysis date: :27:02 (p3pperp0tts platform's analysis date) Exe timestamp: :03:35 (timestamp of the original sample) Unpacked mods max timestamp: :12:35 (higher timestamp of all the unpacked modules) VirusTotal analysis date: :13:06 (date of last time that the sample was analyzed at vt) Index Sample AV detections Virustotal Yara matches Threads tree Most Interesting behavior Most Interesting strings Hosts Dns queries Network traffic Full strings list Threads behaviour Network by processes Unpacked or injected modules Extra Information Recovered Configs Recovered

2 Sample md5: e700c5cb85f ba8d48508ff0 AV detections Microsoft: Trojan:Win32/Emotet.ARJ!MTB Kaspersky: HEUR:Trojan.Win32.Agent.pef Symantec: Packed.Generic.554 Malwarebytes: Trojan.MalPack.TRE Virustotal Yara matches The following yara rules have matched injected or unpacked modules's code or data areas. UNKALIAS:#BANKER #EMOTET UNKALIAS:#BANKER #EMOTET

3 Threads tree The following tree represents sample's threads. T<index> is an alias for sample's threads (numeration is done in the order of threads creation). P<index> is an alias for processes owning sample's threads.

4 Most interesting behavior The following list it's a collection of the most interesting events captured. This list is ordered by the score assigned to the event. In the section "Threads behavioural information" it's possible to find all the actions performed by each sample's thread ordered chronologically. No actions found

5 Most interesting strings The following list it's a collection of the most interesting strings found in the sample's modules (unpacked modules too) code or data.!this program cannot be run in DOS mode. Nj(tm=\\3k8u=

6 Hosts : : : : : : : : : : : :8080

7 Dns queries isatap.localdomain ---> no answers in-addr.arpa ---> no answers in-addr.arpa ---> no answers in-addr.arpa ---> no answers in-addr.arpa ---> no answers in-addr.arpa ---> no answers in-addr.arpa ---> no answers in-addr.arpa ---> no answers

8 Network traffic This section contains the readable content of the captured network traffic classified by established connections. tcp : > :80 Content-Type: application/octet-stream[...]content-disposition: form-data; name="ptlasxxunbaadtgputz"; filename="kircgec"[...] t9gjfyefj[...]accept: text/html,application/xhtml+xml,application/xml;q=0.9,image /webp,*/*;q=0.8[...] t9gjfyefj--[...]accept-encoding: gzip, deflate[...]referer: /KY7H9/6oRh7oiWWPK12Iow/jCrOuySi4ET2wb/Rkr6k/1mTO2qhiQczpNmZO/DrdExHVlfJ/[...]Content-Type: multipart/form-data; boundary= t9gjfyefj[...]host: [...]Cache-Control: no-cache[...]upgrade-insecure-requests: 1[...]POST /KY7H9/6oRh7oiWWPK12Iow/jCrOuySi4ET2wb/Rkr6k/1mTO2qhiQczpNmZO/DrdExHVlfJ/ HTTP/1.1[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/ Firefox/75.0[...]Connection: Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...]content-length: 4564 tcp : > :8080 Content-Type: application/octet-stream[...]post /236xhTXAl/kI6xFzKZfTvk9/2Kmiz2Rmp/wf5HH/kzJYw1iHob1KjMk/IW09WZdUJU/ HTTP/1.1[...]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]content-type: multipart/form-data; boundary= kcojqb8cbqdmh[...]accept-encoding: gzip, deflate[...] kcojqb8cbqdmh--[...]content-length: 4564[...]Content-Disposition: form-data; name="aaylssbzlmvqtt"; filename="qrlvvi"[...]cache-control: no-cache[...]upgrade-insecure-requests: 1[...]Referer: /236xhTXAl/kI6xFzKZfTvk9/2Kmiz2Rmp/wf5HH/kzJYw1iHob1KjMk/IW09WZdUJU/[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/ Firefox/75.0[...]Connection: Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...] kcojqb8cbqdmh[...]host: :8080 tcp : > :7080 Content-Disposition: form-data; name="dddxllcvipheib"; filename="cifsybgsnvftb"[...]accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]content-type: application/octet-stream[...]content-type: multipart/form-data; boundary= mhoeuhyld4rhsdu[...]accept-encoding: gzip, deflate[...] mhoeuhyld4rhsdu--[...]host: :7080[...] mHoEuhYlD4rHsdu[...]Cache-Control: no-cache[...]upgrade-insecure-requests: 1[...]Referer: /OOgQ7RHNiz1/z9nxW8d9QFuQQ/uhHPSstWMQgDOfjC3Is/yfWpNT29rfk3HZnywv/[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/ Firefox/75.0[...]Connection: Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...]post /OOgQ7RHNiz1/z9nxW8d9QFuQQ/uhHPSstWMQgDOfjC3Is/yfWpNT29rfk3HZnywv/ HTTP/1.1[...]Content-Length: 4564 tcp : > :49163 Content-Type: text/html; charset=utf-8[...]date: Sun, 17 Jan :38:27 GMT[...]Server: nginx[...]vary: Accept-Encoding[...]HTTP/ OK[...]Content-Length: 2100[...]Connection: Keep-Alive tcp : > :80 GET /pki/crl/products/winpca.crl HTTP/1.1[...]If-Modified-Since: Wed, 02 Dec :30:06 GMT[...]Cache-Control: max-age = 900[...]User-Agent: Microsoft-CryptoAPI/6.1[...]Host: crl.microsoft.com[...]if-none-match: "0cb60772f2dd11:0"[...]Connection: Keep-Alive tcp :80 ---> :49164

9 x-ms-blob-type: BlockBlob[...]Date: Sun, 17 Jan :42:38 GMT[...]Content-Length: 530[...]Content-Type: application/pkix-crl[...]http/ OK[...]x-ms-version: [...] Z[...] Z[...]HTTP/ OK[...]Content-MD5: Xiddt2GqWiOsZRr49sSgAA==[...]x-ms-lease-status: unlocked[...]x-ms-request-id: 9d0ff0ea-801e-00a3-53d8-858b [...]Last-Modified: Tue, 08 May :14:18 GMT[...]Microsoft Corporation1+0)[...]Connection: Keep-Alive[...]Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0[...]ETag: 0x8D5B528A905E7D5[...]"Microsoft Windows Verification PCA tcp : > :7080 Content-Type: application/octet-stream[...]accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]content-disposition: form-data; name="znyvvzzvfzdgu"; filename="pxzjudb"[...] bkc2gk1phpx990rydzgk--[...]content-type: multipart/form-data; boundary= bkc2gk1phpx990rydzgk[...]post /cwiwwlbvic73yjjh/ HTTP/1.1[...]Host: :7080[...]Content-Length: 4612[...] BKC2gk1phpX990RYdzgk[...]Upgrade-Insecure-Requests: 1[...]Connection: Keep-Alive[...]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/ Firefox/75.0[...]Accept-Encoding: gzip, deflate[...]referer: /cWiWwLbvic73YJJH/[...]Accept-Language: en-us,en;q=0.5[...]cache-control: no-cache tcp : > :49165 Content-Type: text/html; charset=utf-8[...]server: nginx[...]vary: Accept-Encoding[...]Content-Length: 2324[...]Date: Sun, 17 Jan :51:54 GMT[...]Connection: Keep-Alive[...]HTTP/ OK tcp : > :7080 Content-Type: application/octet-stream[...]content-type: multipart/form-data; boundary= aj29e2yecsm6r[...]accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[...]post /Cl9A0nWPh/R9Zz4k/ HTTP/1.1[...]Accept-Encoding: gzip, deflate[...]host: :7080[...]Content-Length: 4612[...] AJ29E2YEcsM6r[...] AJ29E2YEcsM6r--[...]Referer: /Cl9A0nWPh/R9Zz4k/[...]Upgrade-Insecure-Requests: 1[...]Content-Disposition: form-data; name="vtizvdpvidair"; filename="ndcuuhhgufxhn"[...]user-agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/ Firefox/75.0[...]Connection: Keep-Alive[...]Accept-Language: en-us,en;q=0.5[...]cache-control: no-cache tcp : > :49166 Content-Type: text/html; charset=utf-8[...]server: nginx[...]vary: Accept-Encoding[...]Content-Length: 3636[...]HTTP/ OK[...]Connection: Keep-Alive[...]Date: Sun, 17 Jan :05:30 GMT udp : > :5353 DESKTOP-JSQ36OS

10 Full strings list The following list it's a collection of all the strings found in the sample's modules (unpacked modules too) code or data.!this program cannot be run in DOS mode. Nj(tm=\\3k8u= =%<+yqe}\\b3f

11 Threads behaviour In this section it's possible to find information about sample's threads, such as the actions performed by each sample's thread ordered chronologically. No threads found

12 Network by processes The analysis environment tries to capture and collect network actions performed by sample's threads. No processes with network events found

13 Unpacked or injected modules In this section it's possible to find information about sample's modules, such as the rich signatures and strings Module 1 (probably unpacked / injected by the sample) Module 1 rich signatures 44616e d52df d79e d79de00 Module 1 strings Module 1 most interesting strings!this program cannot be run in DOS mode. Nj(tm=\\3k8u= Module 1 other strings No strings found =%<+yqe}\\b3f Module 2 (probably unpacked / injected by the sample) Module 2 rich signatures 44616e d52df d79e d79de00 Module 2 strings Module 2 most interesting strings!this program cannot be run in DOS mode. Module 2 other strings No strings found No strings found

14 Extra Information Recovered In this section there is additional information recovered by platform plugins

15 Configs Recovered In this section there are malware configs recovered by platform plugins CnC : : : : : : : : : : : : : : : : : : : : : : :80

16 : : : : : : : : : : : : : : : : : : : : : : : : :8080

17 : : : : : : : : : : : : : : : : : : : : : : : : : :8080

18 : : : : : : : : : : : : : : : : : : : : : :8080