emotet | 813d2d9ba5cc48c0b99e18bb197929be347cda5b538af172af5ac7bb3aa22de7

General

Target

57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
Size

828KB
MD5

57bed6da02570b8f02d5347fb2ff2f26
SHA1

2ff2d8f391a3cce38cbe5be9baed0ea674863b18
SHA256

813d2d9ba5cc48c0b99e18bb197929be347cda5b538af172af5ac7bb3aa22de7
SHA512

df2b3b5abe616ffe468f9078d1a0e07c1a4023f6c0903be091d0652479583deb42e4214e870b480d454c6f129963547b803017aa595ea57f50ab1f3751b6f1e2
SSDEEP

3072:H/ozMMwmf/sPkBnntDhHUknC+Km/8wmV9c5+yfgGQAaT:H/ozMMwmfeinnhhHU0C+p/h+Egt1T

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exeappxcbgnd.exeappxcbgnd.exe

pid	process
3264	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
3264	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
4552	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
4552	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
1696	appxcbgnd.exe
1696	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe
5024	appxcbgnd.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe

pid process

4552 57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe

pid	process
4552	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exeappxcbgnd.exe

description	pid	process	target process
PID 3264 wrote to memory of 4552	3264	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
PID 3264 wrote to memory of 4552	3264	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
PID 3264 wrote to memory of 4552	3264	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe	57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
PID 1696 wrote to memory of 5024	1696	appxcbgnd.exe	appxcbgnd.exe
PID 1696 wrote to memory of 5024	1696	appxcbgnd.exe	appxcbgnd.exe
PID 1696 wrote to memory of 5024	1696	appxcbgnd.exe	appxcbgnd.exe

C:\Users\Admin\AppData\Local\Temp\57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57bed6da02570b8f02d5347fb2ff2f26_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4552

C:\Windows\SysWOW64\appxcbgnd.exe
"C:\Windows\SysWOW64\appxcbgnd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\appxcbgnd.exe
"C:\Windows\SysWOW64\appxcbgnd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-19-0x0000000000DF0000-0x0000000000E09000-memory.dmp

Filesize
100KB

Download
memory/1696-29-0x0000000000DD0000-0x0000000000DE9000-memory.dmp

Filesize
100KB

Download
memory/1696-20-0x0000000000DD0000-0x0000000000DE9000-memory.dmp

Filesize
100KB

Download
memory/1696-21-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/1696-15-0x0000000000DF0000-0x0000000000E09000-memory.dmp

Filesize
100KB

Download
memory/3264-1-0x0000000002260000-0x0000000002279000-memory.dmp

Filesize
100KB

Download
memory/3264-5-0x0000000002260000-0x0000000002279000-memory.dmp

Filesize
100KB

Download
memory/3264-6-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/3264-0-0x0000000002240000-0x0000000002259000-memory.dmp

Filesize
100KB

Download
memory/3264-14-0x0000000002240000-0x0000000002259000-memory.dmp

Filesize
100KB

Download
memory/4552-7-0x0000000000780000-0x0000000000799000-memory.dmp

Filesize
100KB

Download
memory/4552-12-0x0000000000760000-0x0000000000779000-memory.dmp

Filesize
100KB

Download
memory/4552-13-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/4552-11-0x0000000000780000-0x0000000000799000-memory.dmp

Filesize
100KB

Download
memory/4552-30-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4552-31-0x0000000000760000-0x0000000000779000-memory.dmp

Filesize
100KB

Download
memory/5024-26-0x0000000000980000-0x0000000000999000-memory.dmp

Filesize
100KB

Download
memory/5024-22-0x0000000000980000-0x0000000000999000-memory.dmp

Filesize
100KB

Download
memory/5024-28-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/5024-27-0x0000000000960000-0x0000000000979000-memory.dmp

Filesize
100KB

Download
memory/5024-32-0x0000000000960000-0x0000000000979000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing