emotet | faf13561d39bb0be0eff6ca76605a1b90ed202d4784847c8337c10118e3aea94

General

Target

54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
Size

140KB
MD5

54ed02b161c49720c2409382caa8b873
SHA1

dbb8937a07a077ddddff013dfa3462f9c4f785b6
SHA256

faf13561d39bb0be0eff6ca76605a1b90ed202d4784847c8337c10118e3aea94
SHA512

c79850a897510677a5c3b2204d6c2f40fa0f5b6e7c088d1ad8cd49231ccc095d5aa4a73ca6c69afe3341e42b7fba08caaf45b8805ad6cacab6a4fdd076b8bb12
SSDEEP

1536:x5L2S76evqFc7tOqvys8vjTbm3IG0QTDf8CXbxN/e2xuLDb2wrmYrgEVow:vN7hvImSs8LTbm3oQPf3n/b0n5m0Vow

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

routerroyale.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	routerroyale.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 19 IoCs

Processes:

routerroyale.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	routerroyale.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}	routerroyale.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadDecision = "0"	routerroyale.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadNetworkName = "Network 3"	routerroyale.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	routerroyale.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	routerroyale.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	routerroyale.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	routerroyale.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	routerroyale.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadDecisionTime = d0421bda26a9da01	routerroyale.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65\WpadDecision = "0"	routerroyale.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65	routerroyale.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\82-f6-bf-44-47-65	routerroyale.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65\WpadDecisionTime = d0421bda26a9da01	routerroyale.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65\WpadDecisionReason = "1"	routerroyale.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65\WpadDetectedUrl	routerroyale.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	routerroyale.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	routerroyale.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadDecisionReason = "1"	routerroyale.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe54ed02b161c49720c2409382caa8b873_JaffaCakes118.exerouterroyale.exerouterroyale.exe

pid	process
2912	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
2020	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
2692	routerroyale.exe
1764	routerroyale.exe
1764	routerroyale.exe
1764	routerroyale.exe
1764	routerroyale.exe
1764	routerroyale.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe

pid process

2020 54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe

pid	process
2020	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

54ed02b161c49720c2409382caa8b873_JaffaCakes118.exerouterroyale.exe

description	pid	process	target process
PID 2912 wrote to memory of 2020	2912	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
PID 2912 wrote to memory of 2020	2912	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
PID 2912 wrote to memory of 2020	2912	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
PID 2912 wrote to memory of 2020	2912	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe	54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
PID 2692 wrote to memory of 1764	2692	routerroyale.exe	routerroyale.exe
PID 2692 wrote to memory of 1764	2692	routerroyale.exe	routerroyale.exe
PID 2692 wrote to memory of 1764	2692	routerroyale.exe	routerroyale.exe
PID 2692 wrote to memory of 1764	2692	routerroyale.exe	routerroyale.exe

C:\Users\Admin\AppData\Local\Temp\54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54ed02b161c49720c2409382caa8b873_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2020

C:\Windows\SysWOW64\routerroyale.exe
"C:\Windows\SysWOW64\routerroyale.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\routerroyale.exe
"C:\Windows\SysWOW64\routerroyale.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1764-28-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/1764-40-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/1764-32-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/1764-36-0x0000000000AB0000-0x0000000000AD0000-memory.dmp

Filesize
128KB

Download
memory/1764-39-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2020-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-16-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2020-12-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2020-20-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/2020-38-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/2020-18-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/2692-22-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/2692-26-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/2692-35-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/2692-34-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2692-33-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/2912-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-9-0x0000000002240000-0x0000000002264000-memory.dmp

Filesize
144KB

Download
memory/2912-7-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/2912-19-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/2912-8-0x0000000000850000-0x0000000000870000-memory.dmp

Filesize
128KB

Download
memory/2912-2-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/2912-6-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads