emotet | ca149717d43d2a113c894b33be843a0a0e26c1364c06d933f76c4b062b750f51

General

Target

18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
Size

212KB
MD5

18d65baea8dfbee9c34c7d9b762b10b7
SHA1

e60495220d4000c6caa04be25822b80d4bfc2297
SHA256

ca149717d43d2a113c894b33be843a0a0e26c1364c06d933f76c4b062b750f51
SHA512

9c48e2b90f7f5318c9738ffa24e63e38d4b3a42c3ebb4c8fcd1ff4234c16419aefbcbdfe78c443047b883d55342009b2e0deb104534957cbed84e31d49bfbfb7
SSDEEP

3072:FizbxqLRv2ZCvA1y1t3QoqVePUQGTbgYh/XsLlCP2wc:FOq55o10JQpeJGT8Yh/X8lS2z

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

12.229.155.122:80

5.88.182.250:80

128.65.154.183:443

59.110.18.236:443

45.56.88.91:443

51.68.220.244:8080

206.81.10.215:8080

211.63.71.72:8080

171.101.153.86:990

95.128.43.213:8080

31.172.240.91:8080

167.99.105.223:7080

24.45.193.161:7080

104.131.11.150:8080

167.71.10.37:8080

104.131.44.150:8080

190.108.228.48:990

195.244.215.206:80

192.241.220.155:8080

209.97.168.52:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

netshmore.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	netshmore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

netshmore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	netshmore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	netshmore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	netshmore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	netshmore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionTime = 0025d1181b9fda01	netshmore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecision = "0"	netshmore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionReason = "1"	netshmore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	netshmore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadNetworkName = "Network 3"	netshmore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61	netshmore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionTime = 0025d1181b9fda01	netshmore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}	netshmore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	netshmore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionReason = "1"	netshmore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\d6-8e-05-c7-1d-61	netshmore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	netshmore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	netshmore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	netshmore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	netshmore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecision = "0"	netshmore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	netshmore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

netshmore.exe

pid process

2724 netshmore.exe
2724 netshmore.exe
2724 netshmore.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe

pid process

2384 18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe

pid	process
2724	netshmore.exe
2724	netshmore.exe
2724	netshmore.exe

pid	process
2384	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exenetshmore.exenetshmore.exe

pid	process
1688	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
2384	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
2560	netshmore.exe
2724	netshmore.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exenetshmore.exe

description	pid	process	target process
PID 1688 wrote to memory of 2384	1688	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
PID 1688 wrote to memory of 2384	1688	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
PID 1688 wrote to memory of 2384	1688	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
PID 1688 wrote to memory of 2384	1688	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe	18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
PID 2560 wrote to memory of 2724	2560	netshmore.exe	netshmore.exe
PID 2560 wrote to memory of 2724	2560	netshmore.exe	netshmore.exe
PID 2560 wrote to memory of 2724	2560	netshmore.exe	netshmore.exe
PID 2560 wrote to memory of 2724	2560	netshmore.exe	netshmore.exe

C:\Users\Admin\AppData\Local\Temp\18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\18d65baea8dfbee9c34c7d9b762b10b7_JaffaCakes118.exe
--2d07009e
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\netshmore.exe
"C:\Windows\SysWOW64\netshmore.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\netshmore.exe
--9b4f745d
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-0-0x0000000000350000-0x0000000000367000-memory.dmp

Filesize
92KB

Download
memory/1688-5-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2384-6-0x0000000000300000-0x0000000000317000-memory.dmp

Filesize
92KB

Download
memory/2384-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-11-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download
memory/2724-17-0x0000000000920000-0x0000000000937000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads