emotet | ba37182248f817bc10862b9e5c36fa9a9056de6bf86a9ef815bae88a9e080cdc

General

Target

5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
Size

208KB
MD5

5b3349c5b75cccf73384ffb46835676d
SHA1

53a8055200dc9215e420fb1370cefb5a9ea00f9b
SHA256

ba37182248f817bc10862b9e5c36fa9a9056de6bf86a9ef815bae88a9e080cdc
SHA512

ef3da14bd74bfb7b4ee7cbbf509c3f02bf2d805cc5de8397e05e605f3eb0d766dc8258213c4afcf5d61a23ad49bd5e975c9f650e458ca807588c32c9ee376a5b
SSDEEP

3072:aGmJ9r9IV6+yJFPPEDli/G+rheQK8Z5NwlLwAdfPF5n0irmVnB4StgRJg5jpj:erXXP6ke+rcQ5aLdfX0iy1B454jp

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

uuidgenpnp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	uuidgenpnp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 22 IoCs

Processes:

uuidgenpnp.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uuidgenpnp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-bf-17-be-4f-1f\WpadDecisionReason = "1"	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uuidgenpnp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-bf-17-be-4f-1f	uuidgenpnp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B996771-5930-4F54-A2CB-E36C83FC5941}\12-bf-17-be-4f-1f	uuidgenpnp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	uuidgenpnp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B996771-5930-4F54-A2CB-E36C83FC5941}\WpadDecisionTime = 70866f6927aada01	uuidgenpnp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B996771-5930-4F54-A2CB-E36C83FC5941}\WpadNetworkName = "Network 3"	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B996771-5930-4F54-A2CB-E36C83FC5941}\WpadDecisionTime = d02c4fa127aada01	uuidgenpnp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	uuidgenpnp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B996771-5930-4F54-A2CB-E36C83FC5941}\WpadDecision = "0"	uuidgenpnp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-bf-17-be-4f-1f\WpadDecision = "0"	uuidgenpnp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-bf-17-be-4f-1f\WpadDetectedUrl	uuidgenpnp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B996771-5930-4F54-A2CB-E36C83FC5941}\WpadDecisionReason = "1"	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-bf-17-be-4f-1f\WpadDecisionTime = 70866f6927aada01	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-bf-17-be-4f-1f\WpadDecisionTime = d02c4fa127aada01	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uuidgenpnp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	uuidgenpnp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uuidgenpnp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B996771-5930-4F54-A2CB-E36C83FC5941}	uuidgenpnp.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exeuuidgenpnp.exeuuidgenpnp.exe

pid	process
1056	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
2076	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
2440	uuidgenpnp.exe
2532	uuidgenpnp.exe
2532	uuidgenpnp.exe
2532	uuidgenpnp.exe
2532	uuidgenpnp.exe
2532	uuidgenpnp.exe
2532	uuidgenpnp.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe

pid process

2076 5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe

pid	process
2076	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exeuuidgenpnp.exe

description	pid	process	target process
PID 1056 wrote to memory of 2076	1056	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
PID 1056 wrote to memory of 2076	1056	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
PID 1056 wrote to memory of 2076	1056	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
PID 1056 wrote to memory of 2076	1056	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe	5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
PID 2440 wrote to memory of 2532	2440	uuidgenpnp.exe	uuidgenpnp.exe
PID 2440 wrote to memory of 2532	2440	uuidgenpnp.exe	uuidgenpnp.exe
PID 2440 wrote to memory of 2532	2440	uuidgenpnp.exe	uuidgenpnp.exe
PID 2440 wrote to memory of 2532	2440	uuidgenpnp.exe	uuidgenpnp.exe

C:\Users\Admin\AppData\Local\Temp\5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b3349c5b75cccf73384ffb46835676d_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2076

C:\Windows\SysWOW64\uuidgenpnp.exe
"C:\Windows\SysWOW64\uuidgenpnp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\uuidgenpnp.exe
"C:\Windows\SysWOW64\uuidgenpnp.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-7-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1056-16-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/1056-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1056-1-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1056-5-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1056-17-0x0000000001BD0000-0x0000000001C06000-memory.dmp

Filesize
216KB

Download
memory/1056-6-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2076-12-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2076-8-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2076-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-14-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2076-15-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2076-34-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2440-31-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2440-24-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2440-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-29-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2532-25-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2532-32-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2532-30-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2532-35-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads