emotet | 68be6df3ac4818f4729e98076302a3e6a9b22937aeaccb87811f8130ec0e8543

General

Target

56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
Size

264KB
MD5

56f4c33a916bc90c16924e3337446afb
SHA1

1cf81fd1bb6050d910c4895197d400eedc0cfbf0
SHA256

68be6df3ac4818f4729e98076302a3e6a9b22937aeaccb87811f8130ec0e8543
SHA512

531e31ef8f4c41eabd822239f08ba5f4a7c99996013902d8a99ff89fd3c3a21fcc4428e5824a2c7bb739e4a35c47ee1f0c68485c82bc0bd0fd4c2e3a14f022c7
SSDEEP

3072:ZcTRLEJ3Hcq2ZOzmjBiQyqPPJ8wxsdOqsJ3MBTyvr:iT+3HSLjB+6OOqsJMBmj

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

genralwscapi.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	genralwscapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	genralwscapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	genralwscapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	genralwscapi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

genralwscapi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	genralwscapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	genralwscapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	genralwscapi.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exegenralwscapi.exegenralwscapi.exe

pid	process
3208	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
3208	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
1928	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
1928	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
3068	genralwscapi.exe
3068	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe
3036	genralwscapi.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe

pid process

1928 56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe

pid	process
1928	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exegenralwscapi.exe

description	pid	process	target process
PID 3208 wrote to memory of 1928	3208	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
PID 3208 wrote to memory of 1928	3208	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
PID 3208 wrote to memory of 1928	3208	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe	56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
PID 3068 wrote to memory of 3036	3068	genralwscapi.exe	genralwscapi.exe
PID 3068 wrote to memory of 3036	3068	genralwscapi.exe	genralwscapi.exe
PID 3068 wrote to memory of 3036	3068	genralwscapi.exe	genralwscapi.exe

C:\Users\Admin\AppData\Local\Temp\56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56f4c33a916bc90c16924e3337446afb_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1928

C:\Windows\SysWOW64\genralwscapi.exe
"C:\Windows\SysWOW64\genralwscapi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\genralwscapi.exe
"C:\Windows\SysWOW64\genralwscapi.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-31-0x0000000002060000-0x000000000206D000-memory.dmp

Filesize
52KB

Download
memory/1928-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-11-0x00000000020A0000-0x00000000020AD000-memory.dmp

Filesize
52KB

Download
memory/1928-13-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/1928-12-0x0000000002060000-0x000000000206D000-memory.dmp

Filesize
52KB

Download
memory/1928-7-0x00000000020A0000-0x00000000020AD000-memory.dmp

Filesize
52KB

Download
memory/3036-28-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/3036-32-0x0000000000D20000-0x0000000000D2D000-memory.dmp

Filesize
52KB

Download
memory/3036-27-0x0000000000D20000-0x0000000000D2D000-memory.dmp

Filesize
52KB

Download
memory/3068-15-0x0000000000D60000-0x0000000000D6D000-memory.dmp

Filesize
52KB

Download
memory/3068-21-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/3068-20-0x0000000000460000-0x000000000046D000-memory.dmp

Filesize
52KB

Download
memory/3068-19-0x0000000000D60000-0x0000000000D6D000-memory.dmp

Filesize
52KB

Download
memory/3068-29-0x0000000000460000-0x000000000046D000-memory.dmp

Filesize
52KB

Download
memory/3208-0-0x00000000021F0000-0x00000000021FD000-memory.dmp

Filesize
52KB

Download
memory/3208-14-0x0000000000530000-0x000000000053D000-memory.dmp

Filesize
52KB

Download
memory/3208-5-0x0000000000530000-0x000000000053D000-memory.dmp

Filesize
52KB

Download
memory/3208-6-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/3208-4-0x00000000021F0000-0x00000000021FD000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads