emotet | 20dec98c8003e986251cc8a765a931783203ec75eae436e9df2248a465321e53

General

Target

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
Size

104KB
MD5

5490b40342e869fb0b621a9c4b2e0a11
SHA1

6eec66c6741f91044cb98427668f5053c8333935
SHA256

20dec98c8003e986251cc8a765a931783203ec75eae436e9df2248a465321e53
SHA512

60c228e1a2e2a815097875bb4348d544d5a5811627536df7b7bb4a911614cceb19f60c0a653caff10e22ca808f5f31291d18c4d90a6b384a6d65d549de5d1760
SSDEEP

3072:OYcqg5+ubStuLf4baKqEliMvS7mBNOL8hY:OZ+84xbO7MvSSBNO

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

loaderrouted.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	loaderrouted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 19 IoCs

Processes:

loaderrouted.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	loaderrouted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	loaderrouted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecisionReason = "1"	loaderrouted.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f	loaderrouted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	loaderrouted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	loaderrouted.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}	loaderrouted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecisionReason = "1"	loaderrouted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecisionTime = 10c6cce519a9da01	loaderrouted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecision = "0"	loaderrouted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadNetworkName = "Network 3"	loaderrouted.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\36-74-31-ab-04-6f	loaderrouted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecisionTime = 10c6cce519a9da01	loaderrouted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	loaderrouted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	loaderrouted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecision = "0"	loaderrouted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	loaderrouted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	loaderrouted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDetectedUrl	loaderrouted.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exeloaderrouted.exeloaderrouted.exe

pid	process
2132	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
1184	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
3048	loaderrouted.exe
2660	loaderrouted.exe
2660	loaderrouted.exe
2660	loaderrouted.exe
2660	loaderrouted.exe
2660	loaderrouted.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe

pid process

1184 5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe

pid	process
1184	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exeloaderrouted.exe

description	pid	process	target process
PID 2132 wrote to memory of 1184	2132	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
PID 2132 wrote to memory of 1184	2132	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
PID 2132 wrote to memory of 1184	2132	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
PID 2132 wrote to memory of 1184	2132	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
PID 3048 wrote to memory of 2660	3048	loaderrouted.exe	loaderrouted.exe
PID 3048 wrote to memory of 2660	3048	loaderrouted.exe	loaderrouted.exe
PID 3048 wrote to memory of 2660	3048	loaderrouted.exe	loaderrouted.exe
PID 3048 wrote to memory of 2660	3048	loaderrouted.exe	loaderrouted.exe

C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1184

C:\Windows\SysWOW64\loaderrouted.exe
"C:\Windows\SysWOW64\loaderrouted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\loaderrouted.exe
"C:\Windows\SysWOW64\loaderrouted.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-7-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1184-8-0x00000000002E0000-0x00000000002F7000-memory.dmp

Filesize
92KB

Download
memory/1184-13-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1184-12-0x00000000002E0000-0x00000000002F7000-memory.dmp

Filesize
92KB

Download
memory/1184-30-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1184-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2132-4-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/2132-6-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2132-5-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2132-0-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/2660-26-0x0000000000390000-0x00000000003A7000-memory.dmp

Filesize
92KB

Download
memory/2660-25-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/2660-21-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/2660-27-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2660-31-0x0000000000390000-0x00000000003A7000-memory.dmp

Filesize
92KB

Download
memory/3048-20-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/3048-19-0x00000000004E0000-0x00000000004F7000-memory.dmp

Filesize
92KB

Download
memory/3048-28-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/3048-15-0x00000000004E0000-0x00000000004F7000-memory.dmp

Filesize
92KB

Download
memory/3048-14-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads