emotet | 4232da6351ca054e51aa8fd159a917dbe27e12f186d28295b9a572fd17f0d992

General

Target

5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
Size

225KB
MD5

5d362eba33594637b6c7b064d27f4551
SHA1

548e25c52781dd1374ea8bcd89b1ebef154e872a
SHA256

4232da6351ca054e51aa8fd159a917dbe27e12f186d28295b9a572fd17f0d992
SHA512

5b64574c4700e6a0f0335be1ec10f1388411b6beb552836487e45741ffe58169c7e5d63ce3f7785ab9c332aeba75caa5bde6893f9fa0f55ff7dd9f1078fb9cbf
SSDEEP

3072:Z88NYUc1kKIHz5DrDgPU4/M2Gi/7X0xDVhGnd4JwheuHPWlqc47svQjIP73jNc:Z+N/EPGndUwx+lb4ZIPDjN

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 187.207.114.26
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc
Destination IP	187.207.114.26

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exepnpadam.exepnpadam.exe

pid	process
1240	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
1240	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
2708	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
2708	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
4720	pnpadam.exe
4720	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe
2904	pnpadam.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe

pid process

2708 5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe

pid	process
2708	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exepnpadam.exe

description	pid	process	target process
PID 1240 wrote to memory of 2708	1240	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
PID 1240 wrote to memory of 2708	1240	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
PID 1240 wrote to memory of 2708	1240	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe	5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
PID 4720 wrote to memory of 2904	4720	pnpadam.exe	pnpadam.exe
PID 4720 wrote to memory of 2904	4720	pnpadam.exe	pnpadam.exe
PID 4720 wrote to memory of 2904	4720	pnpadam.exe	pnpadam.exe

C:\Users\Admin\AppData\Local\Temp\5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d362eba33594637b6c7b064d27f4551_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2708

C:\Windows\SysWOW64\pnpadam.exe
"C:\Windows\SysWOW64\pnpadam.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\pnpadam.exe
"C:\Windows\SysWOW64\pnpadam.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-20-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download
memory/1240-42-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/1240-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-16-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download
memory/1240-41-0x0000000000A10000-0x0000000000A2A000-memory.dmp

Filesize
104KB

Download
memory/1240-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-40-0x0000000000A20000-0x0000000000A3A000-memory.dmp

Filesize
104KB

Download
memory/2708-93-0x0000000000A00000-0x0000000000A1A000-memory.dmp

Filesize
104KB

Download
memory/2708-44-0x0000000000A00000-0x0000000000A1A000-memory.dmp

Filesize
104KB

Download
memory/2708-45-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/2708-36-0x0000000000A20000-0x0000000000A3A000-memory.dmp

Filesize
104KB

Download
memory/2708-43-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-84-0x0000000000A70000-0x0000000000A8A000-memory.dmp

Filesize
104KB

Download
memory/2904-94-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/2904-88-0x0000000000A70000-0x0000000000A8A000-memory.dmp

Filesize
104KB

Download
memory/2904-90-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2904-89-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/4720-67-0x0000000000990000-0x00000000009AA000-memory.dmp

Filesize
104KB

Download
memory/4720-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-68-0x00000000009D0000-0x00000000009E0000-memory.dmp

Filesize
64KB

Download
memory/4720-62-0x00000000009B0000-0x00000000009CA000-memory.dmp

Filesize
104KB

Download
memory/4720-66-0x00000000009B0000-0x00000000009CA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing