emotet | c1ad53643f650c43905e3c944fe4c0299a93aafc419c8344eebc7f523f525487

General

Target

4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe
Size

129KB
MD5

4b3ed36c5debd8c3a0fe511faab8c523
SHA1

6b79a9bb47815e3a7d46d24f778498c55a73e99e
SHA256

c1ad53643f650c43905e3c944fe4c0299a93aafc419c8344eebc7f523f525487
SHA512

e4a05cac21d02b460e69ba2255412c09da7cf8c2744992e3727e413b836df38b61073380fa8b546794df8326b086b4b7c05d6e17ac75d00e25673ff4504b0c18
SSDEEP

3072:cIfHEs4E0dK0jYVa4/lCWQe2ji6W+q1s+2:c4ks4E0o00VaMavW+b

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
648	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe
648	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe
1280	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe
1280	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe
2028	montanawcf.exe
2028	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe
1052	montanawcf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1280	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1280	648	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe	90
PID 648 wrote to memory of 1280	648	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe	90
PID 648 wrote to memory of 1280	648	4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe	90
PID 2028 wrote to memory of 1052	2028	montanawcf.exe	92
PID 2028 wrote to memory of 1052	2028	montanawcf.exe	92
PID 2028 wrote to memory of 1052	2028	montanawcf.exe	92

C:\Users\Admin\AppData\Local\Temp\4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b3ed36c5debd8c3a0fe511faab8c523_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1280

C:\Windows\SysWOW64\montanawcf.exe
"C:\Windows\SysWOW64\montanawcf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\montanawcf.exe
  "C:\Windows\SysWOW64\montanawcf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-0-0x0000000000E40000-0x0000000000E64000-memory.dmp

Filesize
144KB

Download
memory/648-2-0x0000000000D80000-0x0000000000D96000-memory.dmp

Filesize
88KB

Download
memory/648-6-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/648-1-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/648-7-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/648-16-0x0000000000E40000-0x0000000000E64000-memory.dmp

Filesize
144KB

Download
memory/648-17-0x0000000000D80000-0x0000000000D96000-memory.dmp

Filesize
88KB

Download
memory/1052-36-0x0000000001C90000-0x0000000001CA6000-memory.dmp

Filesize
88KB

Download
memory/1052-25-0x0000000001CB0000-0x0000000001CC6000-memory.dmp

Filesize
88KB

Download
memory/1052-29-0x0000000001CB0000-0x0000000001CC6000-memory.dmp

Filesize
88KB

Download
memory/1052-30-0x0000000001C90000-0x0000000001CA6000-memory.dmp

Filesize
88KB

Download
memory/1052-31-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/1280-9-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/1280-13-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/1280-8-0x0000000000E40000-0x0000000000E64000-memory.dmp

Filesize
144KB

Download
memory/1280-15-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/1280-34-0x0000000000E40000-0x0000000000E64000-memory.dmp

Filesize
144KB

Download
memory/1280-35-0x0000000000970000-0x0000000000986000-memory.dmp

Filesize
88KB

Download
memory/1280-14-0x0000000000970000-0x0000000000986000-memory.dmp

Filesize
88KB

Download
memory/2028-18-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/2028-32-0x0000000000E40000-0x0000000000E64000-memory.dmp

Filesize
144KB

Download
memory/2028-33-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/2028-22-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/2028-23-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/2028-24-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing