Skip to content

Commit 91f77e7

Browse files
author
Josh Stroschein
committed
updates readme and adds sample output from malconfscan plugin
1 parent 903b41a commit 91f77e7

File tree

2 files changed

+139
-0
lines changed

2 files changed

+139
-0
lines changed

memory_dumps/emotet/README.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Emotet Memory Dumps
2+
3+
These are full VM memory dumps provided during execution with the Cuckoo sandbox and include active Emotet process(es). Configuration files are also included and are the result of running the [MalConfScan](https://github.com/JPCERTCC/MalConfScan-with-Cuckoo) plugin with [Volatility](https://www.volatilityfoundation.org/). These dumps come from a Windows 7 SP 1 x64 machine. The hash included in the file name is from the sample that was executed.
4+
5+
## Samples
6+
7+
*The memory dumps are archived and password protected with the password: infected*
8+
9+
MD5 - ce70e4f73ec6d6f332b1104bd171b905: [VirusTotal](https://www.virustotal.com/gui/file/b829d7f1877385fdef8c2b1582955d7f6b636c8cbe9081bbba488323b6a14b81/detection) - 14/71 as of 12/06/19 14:32 CST
10+
* Due to the size of the memory dumps, they are available via download from the following [Google Drive](https://drive.google.com/file/d/1RPh4wsdC1sHmRA7A7aOfzBaRbRWEUyqL/view?usp=sharing)
11+
12+
![Sample Output](https://github.com/jstrosch/malware-samples/blob/master/memory_dumps/emotet/output_ce70e4f73ec6d6f332b1104bd171b905.png)

memory_dumps/emotet/config_ce70e4f73ec6d6f332b1104bd171b905.txt

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
[+] Searching memory by Yara rules.
2+
[+] Detect malware by Yara rules.
3+
[+] Process Name : rdsipmi.exeexe
4+
[+] Process ID : 2976
5+
[+] Malware name : Emotet
6+
[+] Base Address(VAD) : 0x330000
7+
[+] Size : 0x11000
8+
----------------------------------------------------------------------
9+
Process: rdsipmi.exeexe (2976)
10+
11+
[Config Info]
12+
RSA Public Key : -----BEGIN PUBLIC KEY-----
13+
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
14+
bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
15+
LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
16+
-----END PUBLIC KEY-----
17+
IP 0 : 107.2.2.28:80
18+
IP 1 : 12.229.155.122:80
19+
IP 2 : 108.191.2.72:80
20+
IP 3 : 108.179.206.219:8080
21+
IP 4 : 59.110.18.236:443
22+
IP 5 : 45.56.88.91:443
23+
IP 6 : 206.81.10.215:8080
24+
IP 7 : 182.176.132.213:8090
25+
IP 8 : 212.64.171.206:80
26+
IP 9 : 87.230.19.21:8080
27+
IP 10 : 80.11.163.139:21
28+
IP 11 : 212.186.191.177:80
29+
IP 12 : 192.81.213.192:8080
30+
IP 13 : 45.33.49.124:443
31+
IP 14 : 190.53.135.159:21
32+
IP 15 : 91.242.138.5:80
33+
IP 16 : 91.73.197.90:80
34+
IP 17 : 165.228.24.197:80
35+
IP 18 : 37.157.194.134:443
36+
IP 19 : 50.116.86.205:8080
37+
IP 20 : 101.187.134.207:443
38+
IP 21 : 59.103.164.174:80
39+
IP 22 : 159.65.25.128:8080
40+
IP 23 : 116.48.142.21:443
41+
IP 24 : 120.150.246.241:80
42+
IP 25 : 24.45.193.161:7080
43+
IP 26 : 185.159.102.74:80
44+
IP 27 : 86.98.156.239:443
45+
IP 28 : 149.202.153.252:8080
46+
IP 29 : 67.225.179.64:8080
47+
IP 30 : 108.191.2.72:80
48+
IP 31 : 164.68.101.171:80
49+
IP 32 : 31.172.240.91:8080
50+
IP 33 : 45.51.40.140:80
51+
IP 34 : 173.70.81.77:80
52+
IP 35 : 178.209.71.63:8080
53+
IP 36 : 104.131.11.150:8080
54+
IP 37 : 91.231.166.126:8080
55+
IP 38 : 212.129.24.79:8080
56+
IP 39 : 176.106.183.253:8080
57+
IP 40 : 70.175.171.251:80
58+
IP 41 : 169.239.182.217:8080
59+
IP 42 : 200.71.148.138:8080
60+
IP 43 : 217.160.182.191:8080
61+
IP 44 : 101.187.247.29:80
62+
IP 45 : 165.227.156.155:443
63+
IP 46 : 183.102.238.69:465
64+
IP 47 : 92.222.216.44:8080
65+
IP 48 : 95.128.43.213:8080
66+
IP 49 : 139.130.241.252:443
67+
IP 50 : 173.13.135.102:80
68+
IP 51 : 80.21.182.46:80
69+
IP 52 : 189.209.217.49:80
70+
IP 53 : 80.29.54.20:80
71+
IP 54 : 192.241.255.77:8080
72+
IP 55 : 181.31.213.158:8080
73+
IP 56 : 78.24.219.147:8080
74+
IP 57 : 186.75.241.230:80
75+
IP 58 : 201.184.105.242:443
76+
IP 59 : 70.175.171.251:80
77+
IP 60 : 211.63.71.72:8080
78+
IP 61 : 5.196.74.210:8080
79+
IP 62 : 107.2.2.28:80
80+
IP 63 : 209.97.168.52:8080
81+
IP 64 : 31.12.67.62:7080
82+
IP 65 : 31.31.77.83:443
83+
IP 66 : 87.106.136.232:8080
84+
IP 67 : 206.189.112.148:8080
85+
IP 68 : 45.51.40.140:80
86+
IP 69 : 110.142.38.16:80
87+
IP 70 : 91.187.80.246:80
88+
IP 71 : 173.212.203.26:8080
89+
IP 72 : 190.12.119.180:443
90+
IP 73 : 104.131.44.150:8080
91+
IP 74 : 195.244.215.206:80
92+
IP 75 : 138.201.140.110:8080
93+
IP 76 : 181.143.194.138:443
94+
IP 77 : 190.226.44.20:21
95+
IP 78 : 167.99.105.223:7080
96+
IP 79 : 200.7.243.108:443
97+
IP 80 : 12.229.155.122:80
98+
IP 81 : 190.147.215.53:22
99+
IP 82 : 201.173.217.124:443
100+
IP 83 : 178.210.51.222:8080
101+
IP 84 : 118.201.230.249:80
102+
IP 85 : 107.170.24.125:8080
103+
IP 86 : 87.106.139.101:8080
104+
IP 87 : 197.254.221.174:80
105+
IP 88 : 93.147.141.5:80
106+
IP 89 : 190.56.255.118:80
107+
IP 90 : 47.50.251.130:80
108+
IP 91 : 104.236.246.93:8080
109+
IP 92 : 167.114.242.226:8080
110+
IP 93 : 5.88.182.250:80
111+
IP 94 : 83.136.245.190:8080
112+
IP 95 : 181.57.193.14:80
113+
IP 96 : 91.205.215.66:8080
114+
IP 97 : 47.50.251.130:80
115+
IP 98 : 188.152.7.140:80
116+
IP 99 : 46.105.131.87:80
117+
IP 100 : 128.65.154.183:443
118+
IP 101 : 167.71.10.37:8080
119+
IP 102 : 58.171.42.66:8080
120+
IP 103 : 190.108.228.48:990
121+
IP 104 : 176.31.200.130:8080
122+
IP 105 : 1.33.230.137:80
123+
IP 106 : 144.139.247.220:80
124+
IP 107 : 210.6.85.121:80
125+
IP 108 : 92.186.52.193:80
126+
IP 109 : 62.75.187.192:8080
127+
IP 110 : 190.211.207.11:443

0 commit comments

Comments
 (0)