emotet | 39cb7105e4c4346f37e37b8475593d156917615433ff6588009d708d71594c7f

General

Target

54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
Size

312KB
MD5

54267330bcd69f6767510d1c10572a09
SHA1

dcede8210e1bd860e2f0ce87550f0d4f6e708cd7
SHA256

39cb7105e4c4346f37e37b8475593d156917615433ff6588009d708d71594c7f
SHA512

f9438ddaf67e32f7ae89fa0175a6b9390891b660ce51772894f4f63a03640f64756123929ab5b409ca44df54264048f4978fa7667d4e14b8d44f034c703a968b
SSDEEP

6144:Bph2KiYC3aZBTVItzt3QlpLV0IjLKdJr2qKiTstJ:BViYC3aZU53QuIjLKdwGgH

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

68.187.160.28:443

97.120.32.227:80

187.188.166.192:8080

144.217.117.207:8080

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

68.174.15.223:80

63.246.252.234:80

93.148.252.90:80

74.59.187.94:80

185.160.212.3:80

46.28.111.142:7080

183.99.239.141:80

68.129.203.162:443

144.139.56.105:80

191.183.21.190:80

81.157.234.90:8080

138.68.106.4:7080

203.130.0.69:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

shadestexas.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	shadestexas.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	shadestexas.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	shadestexas.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	shadestexas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

shadestexas.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	shadestexas.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	shadestexas.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	shadestexas.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

shadestexas.exe

pid	process
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe

pid process

2756 54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe

pid	process
2756	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe54267330bcd69f6767510d1c10572a09_JaffaCakes118.exeshadestexas.exeshadestexas.exe

pid	process
3400	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
3400	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
2756	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
2756	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
3796	shadestexas.exe
3796	shadestexas.exe
3852	shadestexas.exe
3852	shadestexas.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

54267330bcd69f6767510d1c10572a09_JaffaCakes118.exeshadestexas.exe

description	pid	process	target process
PID 3400 wrote to memory of 2756	3400	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
PID 3400 wrote to memory of 2756	3400	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
PID 3400 wrote to memory of 2756	3400	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe	54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
PID 3796 wrote to memory of 3852	3796	shadestexas.exe	shadestexas.exe
PID 3796 wrote to memory of 3852	3796	shadestexas.exe	shadestexas.exe
PID 3796 wrote to memory of 3852	3796	shadestexas.exe	shadestexas.exe

C:\Users\Admin\AppData\Local\Temp\54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\54267330bcd69f6767510d1c10572a09_JaffaCakes118.exe
--78ff5825
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Windows\SysWOW64\shadestexas.exe
"C:\Windows\SysWOW64\shadestexas.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\shadestexas.exe
--899cfe09
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4bd2907d2e0afb20e1193e2292377f44_a47c70d8-7adc-4ad7-994f-644a8c84c176
Filesize
50B

MD5
531d9bc2297289ce9b2144d0e78e77d8

SHA1
e69557ab8db39ceea4557d322cab2ce8f4b61888

SHA256
b4c777ec60d20aced83997482ad62fa0482734cffa67f4a5bf327f5c15d93ae0

SHA512
4bd8bffea131b8b5302ffba45bf651aba71a6235bff78c08b5bad78ebe88794cba13bb6712411764b7c0e821ecca4283862dc8b243eda25f6966c3b6292df636

Download Submit
memory/2756-7-0x00000000026E0000-0x00000000026F7000-memory.dmp

Filesize
92KB

Download
memory/2756-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3400-1-0x00000000024E0000-0x00000000024F7000-memory.dmp

Filesize
92KB

Download
memory/3400-0-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3400-6-0x00000000023A0000-0x00000000023B1000-memory.dmp

Filesize
68KB

Download
memory/3796-13-0x0000000000E60000-0x0000000000E77000-memory.dmp

Filesize
92KB

Download
memory/3852-20-0x0000000000E10000-0x0000000000E27000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads