emotet | e2c91d242f90bf3995e997ca10d4cff3857060e83297261d9a172ecd7548dfae

General

Target

5644109d6059243423970addcbf08a51_JaffaCakes118.exe
Size

212KB
MD5

5644109d6059243423970addcbf08a51
SHA1

9551f1eb218352e81048e8f5ad25ffa882e1b3f5
SHA256

e2c91d242f90bf3995e997ca10d4cff3857060e83297261d9a172ecd7548dfae
SHA512

dd011d99b5efe68928573eecdce977c7b9bbb89400d0fc066ab6dfc32a607d080f4991ab60f786c5d8d33ce1d2f3e54a9c3ebcf38b05b97120f54aa95464ded6
SSDEEP

6144:st2cIO6qzfzNrZclqpz9OWKMN+yt4gRLzUqaN0Q:g3+wEOZza

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

83.169.33.157:8080

222.239.249.166:443

217.26.163.82:7080

91.205.173.54:8080

5.189.148.98:8080

187.177.155.123:990

172.245.13.50:8080

193.34.144.138:8080

119.159.150.176:443

143.95.101.72:8080

191.100.24.201:50000

139.162.185.116:443

195.201.56.68:7080

23.253.207.142:8080

192.163.221.191:8080

162.144.46.90:8080

103.205.177.229:80

190.189.79.73:80

163.172.97.112:8080

138.197.140.163:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

chunkermonthly.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	chunkermonthly.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	chunkermonthly.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	chunkermonthly.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	chunkermonthly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

chunkermonthly.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	chunkermonthly.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	chunkermonthly.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	chunkermonthly.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chunkermonthly.exe

pid	process
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe
1720	chunkermonthly.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5644109d6059243423970addcbf08a51_JaffaCakes118.exe

pid process

232 5644109d6059243423970addcbf08a51_JaffaCakes118.exe

pid	process
232	5644109d6059243423970addcbf08a51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5644109d6059243423970addcbf08a51_JaffaCakes118.exechunkermonthly.exe

description	pid	process	target process
PID 5012 wrote to memory of 232	5012	5644109d6059243423970addcbf08a51_JaffaCakes118.exe	5644109d6059243423970addcbf08a51_JaffaCakes118.exe
PID 5012 wrote to memory of 232	5012	5644109d6059243423970addcbf08a51_JaffaCakes118.exe	5644109d6059243423970addcbf08a51_JaffaCakes118.exe
PID 5012 wrote to memory of 232	5012	5644109d6059243423970addcbf08a51_JaffaCakes118.exe	5644109d6059243423970addcbf08a51_JaffaCakes118.exe
PID 3736 wrote to memory of 1720	3736	chunkermonthly.exe	chunkermonthly.exe
PID 3736 wrote to memory of 1720	3736	chunkermonthly.exe	chunkermonthly.exe
PID 3736 wrote to memory of 1720	3736	chunkermonthly.exe	chunkermonthly.exe

C:\Users\Admin\AppData\Local\Temp\5644109d6059243423970addcbf08a51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5644109d6059243423970addcbf08a51_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\5644109d6059243423970addcbf08a51_JaffaCakes118.exe
--ed366ed6
2⤵
- Suspicious behavior: RenamesItself
PID:232

C:\Windows\SysWOW64\chunkermonthly.exe
"C:\Windows\SysWOW64\chunkermonthly.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\chunkermonthly.exe
--b0e8d805
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4bd2907d2e0afb20e1193e2292377f44_a47c70d8-7adc-4ad7-994f-644a8c84c176

Filesize
50B

MD5
531d9bc2297289ce9b2144d0e78e77d8

SHA1
e69557ab8db39ceea4557d322cab2ce8f4b61888

SHA256
b4c777ec60d20aced83997482ad62fa0482734cffa67f4a5bf327f5c15d93ae0

SHA512
4bd8bffea131b8b5302ffba45bf651aba71a6235bff78c08b5bad78ebe88794cba13bb6712411764b7c0e821ecca4283862dc8b243eda25f6966c3b6292df636

Download Submit
memory/232-7-0x00000000007B0000-0x00000000007C4000-memory.dmp

Filesize
80KB

Download
memory/232-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-21-0x00000000006D0000-0x00000000006E4000-memory.dmp

Filesize
80KB

Download
memory/1720-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3736-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5012-0-0x00000000005A0000-0x00000000005B4000-memory.dmp

Filesize
80KB

Download
memory/5012-6-0x0000000000590000-0x000000000059F000-memory.dmp

Filesize
60KB

Download
memory/5012-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads